The European Union has adopted massive changes to its data protection policy with the new General Data Protection Regulation (Regulation 2016/679; “Regulation” or “GDPR”) which will be enforced beginning 25 May 2018. The obligations assigned by the new regulation will apply to all organizations which process personal data as part of or in the performance of their services.
GDPR will replace the existing European data protection regime, Directive 95/46/EC, adopted in the ’90s, and exceeds it both in range and scope. The GDPR is intended to harmonize data protection law across the EU by removing the need for national implementation. The Regulation will be directly applicable in all Member States without the delay of separate national legislation. The GDPR applies to EU organizations but also non-EU organizations if they offer goods or services to EU residents or monitor the behavior of EU residents. Many organizations that are not subject to existing EU data protection laws will be subject to the GDPR.
GDPR focuses on the principles of transparency and minimization of data. Not only must the organizations demonstrate one of seven lawful bases for collecting customer data (including consent, contract, or legitimate interest), but they must also ensure that they process only the minimum amount of personal data necessary to achieve their lawful processing purposes.
The new regulations are meant to protect the privacy and digital security of EU citizens and to give individuals control over their own data. Specifically, the Regulation recognizes eight rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right to not be evaluated on the basis of automated processing.
Organizations must fulfill specific requirements in the protection of these customer rights.
The focus of much of the GDPR discussion is online businesses and services. However, the regulation is more far-reaching. The GDPR applies in all contexts and across all sectors. Essentially the same requirements apply to small businesses and large multinationals. Consequently, organizations of all types are affected by EU data protection law. Any business, of any size, that collects customer data, and has European customers will be required to comply with GDPR or face significant sanctions. The GDPR sets out new maximum fines of the greater of €20 million or four percent of an undertaking’s worldwide turnover.
If you would like to know more about the GDPR, or if you have any question and/or concern about its application, please feel free to contact us.
Richard Cameron: rcameron@lmiadvisors.com
Lucie Rivière: lriviere@lmiadvisors.com