The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) came into force in the European Union on the 25th of May 2018. The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals. Vanessa Molloy, Partner in Luxembourg, provides an overview.
The 25th of May 2018 has come and gone with a deluge of privacy notices chocking up your inbox.
But what has changed? We try and answer this question by identifying the principal changes:
- Directive versus regulation
The GDPR is in the form of a regulation and is therefore applicable in all EU Member States without formal adoption into each EU Members State’s domestic law. The aim of the Regulation is to harmonise data protection rules throughout the EU. This was unfortunately not achieved as the GDPR has a number of articles permitting some form of modification.
- The GDPR has extra-territorial scope
If you are established outside the EU, but you process personal data of data subjects who are in the Union and the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union, you are required to comply with the GDPR with respect to those data subjects. The GDPR also requires you to appoint an EU Representative who acts as a liaison between you, the data subject and the relevant supervisory authority.
- Data caught
The definition of personal data stays substantially the same but the GDPR goes on to state examples of personal data, and specifically adds new identifying types of data to its definition. This includes names, location data and online identifiers.
- Processors are directly accountable
Processors (suppliers or service providers) process the personal data on the instruction of the controller. For the first time, they are specifically included and can be held directly liable under the GDPR by their local supervisory authority. Controllers also need to ensure that they enter into written contracts with processors and include mandatory terms prescribed under GDPR. Controllers are also required to appoint processors who can provide “sufficient guarantees” that the requirements of the GDPR will be met and the rights of data subjects protected.
- Rights of data subjects
Many of the “old” rights have been enhanced through additional transparency requirements and new rights such as the right to data portability and erasure (right to be forgotten) are now clarified and included.
- Data subject access request (SAR)
Controllers are no longer able to charge when replying to a SAR unless the individual’s request is “manifestly unfounded or excessive”, but then only a reasonable fee (which is not defined) may be charged. The response period has also changed to “without undue delay and in any event within one month of receipt of the request”. This can be extended up to two months where a request is particularly “complex or numerous”. If this is the case, the data subject must be contacted within one month of making their request and informed why an extension is necessary.
- Principle of accountability
The principle of accountability is specifically included in the GDPR and controllers are accountable to demonstrate compliance with the principles relating to processing of personal data and are no longer required to register with their local supervisory authority. Article 5 of the GDPR sets out the principles: (1) lawfulness, fairness and transparency; (2) purpose limitation; (3) data minimisation; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality.
- Data protection officer (DPO)
The GDPR requires that a DPO be appointed where non-public controller/processors’ activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or whose core activities consist of processing sensitive personal data on a large scale. The GDPR sets out the role and qualification of the DPO.
- Privacy by design and default
The GDPR includes privacy by design and default as a legal requirement. Organisations are therefore required to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start. Ensuring that personal data is processed with the highest privacy protection (for example only the data necessary should be processed; there should be a short storage period and limited accessibility) so that by default personal data is not made accessible to an indefinite number of persons. Coupled to this concept is the requirement to conduct a Data Protection Impact Assessment (DPIA) whenever processing is likely to result in a high risk to the rights and freedoms of individuals. The DPIA is forward-looking, aimed at preventing a breach, and is therefore a good risk mitigation tool.
- Notification of data breaches 
The breach notification requirements of the GDPR represent a significant change that organisations are going to have to grapple with. If the breach is likely to result in a risk of adversely affecting individuals’ rights and freedoms, then the controller is required to notify its local supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the controller must also inform those individuals without undue delay so they can mitigate any risk to them arising from the breach. Controllers need to keep a record of any personal data breaches, regardless of whether or not the breach is notifiable.
- International transfers 
Rules on the export of data outside the EU have remained largely unchanged; however, there is an expansion of the existing mechanisms and an introduction of two new transfer methods.
- Higher fines
Some contraventions will be subject to administrative fines of up to €10,000,000 or, in the case of undertakings, 2% of global turnover, whichever is the higher. Others that are linked to more serious violations will be subject to administrative fines of up to €20,000,000 or, in the case of undertakings, 4% of global turnover, whichever is the higher.
Those organisations affected by the GDPR should have mapped their data, amended their policies and procedures to be GDPR compliant, determined if a DPO is required (and, if so, appointed a DPO), trained staff (which is the main line of defence), introduced common-sense measures to prevent breaches, eliminated unnecessary data, ensured IT is on top of GDPR and provided data subjects with the necessary transparency notice (privacy notice), while carrying on with business!
The compliance calendar should be updated to flag the review of documents and procedures as frequently as required to ensure they are continually fit for purpose under the GDPR.
 Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
 20180413_Article29WP TransparencyGuidelines.pdf
 Article 4 (12) of the GDPR “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.