Today, the GDPR replaces existing data protection laws throughout Europe and introduces significant changes and additional requirements that will have a wide-ranging impact on businesses around the world, irrespective of where they operate.
The key changes and additional requirements introduced by the GDPR are:
- European data protection law
will now apply worldwide
Businesses that are established in the European Union and organizations that are located outside the EU that process personal data in relation to the offering of goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will have to comply with European data protection law. Businesses based outside of the EU will be subject to the new rules and will have to ensure they comply.
- Tougher sanctions for
The maximum fine for a breach of European data protection law will be substantially increased to a maximum of 4 percent of an enterprise's worldwide turnover or €20 million per infringement, whichever is higher.
- A new data breach
Organizations will now have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.
- New data privacy governance,
data mapping and impact assessment requirements
Organizations will now need to appoint a data protection officer to be responsible for implementing and monitoring that organization's compliance with the GDPR and to carry out assessments of the organization's data processing in certain circumstances. Organizations will now also be required to map their processing of personal data and undertake data protection impact assessments for higher risk processing.
- A requirement to implement
"privacy by design"
Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default when personal data is being processed.
- Strengthening of
individuals' rights to personal data
Individuals in the EU will have the right to have their personal data removed from systems or online content (the "right to be forgotten"), the right not to be subjected to automated data profiling (where this would produce a legal effect) and the right to be given a copy of the personal data relating to them in a commonly used format and to have that information transmitted to another party (the "right to data portability"). Organizations must determine how they will enable individuals to exercise these rights.
- Enhanced requirements for the
Businesses must only use other parties to process personal data that provide sufficient guarantees that they will implement appropriate security measures to satisfy the requirements of the GDPR. These service providers will now be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR and must obtain prior consent to employ sub-processors. Organizations will need to review and amend their contracts with these parties to address the changes in responsibilities.
Since the end of 2017, the Article 29 Working Party issued new guidance (or revised existing guidance) for GDPR-compliance in respect of the following areas:
- Data Protection Impact Assessments
- Data Portability
- Data Protection Officer
- Automated decision making and profiling
- Personal data breach notification
- Application and setting of fines
Over the next few months, we will be keeping you updated on GDPR guidance, enforcement decisions throughout Europe and other substantial developments.
- A29WP: Personal Data Breach Notification
- A29WP: Revised Guidelines on Consent
- Advice from the Belgian Privacy Commission on the draft GDPR Implementation Bill — April 11, 2018 (available in French and Dutch only)
- Germany: Guidance on Data Protection Officers
- Germany: Guidance on Designating a DPO
- Guidelines from the Italian DPA — February 2018
- ICO Guidance
- Updated DPIA software from CNIL — January 29, 2018
- As GDPR Looms, LawFirms Do Double Duty on Compliance
- Eight Ways to Prepare for GDPR – Are You Ready?
- Brazil: The GDPR Comes into Force This Year, Now What?
- GDPR is (Almost) Here: What Does It Mean for Recruitment and Headhunting Companies?
- Impact of New EU Privacy Law on US E-Commerce Businesses
- How Will the GDPR Impact E-Commerce Businesses?
Originally published 25 May 2018
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2018. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.