EU Data Protection Changes What

You Need To Know

Thank you to Dale Penn, one of the talented Advent IM Security Consultants for this
informative guest post.

GDPR (General Data Protection Regulation)

Introduction
This January the European Commission revealed a draft of its
GDPR. The European Commission is hoping to introduce the
GDPR by this end of 2015 to replace the outdated EU Data Protection Directive
95/46/EC as this current standard is not really inadequate to deal with issues such as
globalization, Social networks, Cloud Computing etc etc.
The GDPR is a Regulation and not a directive and so this means it will have immediate
effect on all 28 EU member states after a 2 year transition period.
The GDPR includes a strict data protection compliance regime with severe penalties of
up to 100M euros or up to five percent of worldwide turnover for organisations in
breach of its rules.
What should it achieve?
The GDPR should provide a single set of regulations for data protection across the EU
which deal with the current global environment and the advances made in
communication technology and foster a baseline standard of data protection across
the EU.
Key Changes
Copyright Advent IM 2015

1. Non EU Businesses may still have to comply with the Regulation.

Non EU controllers (and possibly non-EU processors) that do business in the EU with
EU data subjects personal data should prepare to comply with the Regulation.
Although regulation beyond EU borders will be a challenge given the huge proposed
fines, those providing products or services to EU customers or processing their data
may have to face the long arm of the law if an incident is reported.
2. The definition of personal data will become broader, bringing more data into the
regulated perimeter.
The Regulation proposes that data privacy should encompass other factors that could
be used to identify an individual, such as the genetic, mental, economic, cultural or
social identity of an individual. Companies should take measures to reduce the amount
of personally identifiable information they store, and ensure that they do not store any
information for longer than necessary.
3. Rules for obtaining valid consent will change.
The consent document should be laid out in simple terms, and there is a proposal that
the consent have an expiry date. Silence or inactivity should not constitute consent.
4. The appointment of a data protection officer (DPO).
At the moment, there is still no agreement on the thresholds for appointing a DPO.
There have been proposals to appoint a DPO for each company over 250 employees,
and, in other instances, where companies process more than 5,000 data subjects a
year.
5. The introduction of mandatory privacy risk impact assessments.
A number of proposals have suggested conditions under which a privacy risk impact
assessment will be required. What seems to be clear is that a risk-based approach must
be adopted before undertaking higher-risk data processing activities. Data controllers
are likely to have to conduct privacy impact assessments to analyse and minimise the
risks to their data subjects.
6. The Introduction of data breaches notification
The Data Protection Officer (DPO) will be under a legal obligation to notify the
Supervisory Authority without undue delay and this is still subject to negotiations at
present. The reporting of a data breach is not subject to any minimum standard and it
Copyright Advent IM 2015

is likely that the GDPR will provide that such breaches must be reported to the
Supervisory Authority as soon as they become aware of the data breach. Individuals
have to be notified if adverse impact is determined.
7. The right to erasure.
The right to be forgotten has been replaced by a more limited right to erasure. A data
subject has the right to request erasure of personal data related to him on any one of
a number of grounds.
8. Data Portability
A user shall be able to request a copy of personal data being processed in a format
usable by this person and be able to transmit it electronically to another processing
system.

Copyright Advent IM 2015