European Data Protection Reform
With the recent finalisation of the new EU General Data Protection Regulation (GDPR), the countdown has begun for member states until its entry into force, which is expected to be in 2018. The GDPR will apply directly within member states without the need for implementation, replacing existing member state legislation, such as the UK’s Data Protection Act 1998.
One of the key changes to be made by the GDPR is that some of the obligations which previously only applied to data controllers are placed directly on data processors. A data controller might currently seek to contractually shift these obligations to the processor but the new rules will increase the processor’s liability as the default position and the changes are thus likely to have a significant effect on the negotiation and drafting of data protection provisions in supply contracts.
Some further changes include:
- New rights for data subjects, including the right for data subjects to request that their personal data are erased in certain circumstances;
- Significant increases in the level of fines for serious breaches;
- An obligation to report data breaches within 72 hours of becoming aware (more onerous than the suggestions made by the ICO’s current guidelines), unless the breach is unlikely to result in risk to the rights and freedoms of individuals; and
- Introduction of the requirement for certain organisations to have a data protection officer with specific duties including ensuring compliance with the GDPR.
Though the GDPR’s entry into force in 2 years away, those organisations affected by it are encouraged to start reviewing their practices and procedures now in preparation for ensuring compliance with the new rules.
For further information, please contact Richard Danks.< Back