Data Protection Series: Thoughts on the new General Data Protection Regulation (GDPR)

Michael Zurcher


The EU has reached agreement on a draft General Data Protection Regulation (GDPR) which will replace the current Data Protection Directive. The following blog discusses some of the key provisions that are relevant for records managers.

The new law will come into effect in Q1 of 2018 (the final date depends on the publication of the new Regulation in the Official Journal of the EU) and will simplify compliance because there will be only one data protection law in the European Economic Area (EEA). (There will be some exceptions, such as for employee data).

The underlying privacy principles have not changed. Companies still need to ensure that personal data is:

  • accurate
  • kept up to date
  • kept only for as long as necessary
  • secured so that its confidentiality, availability and integrity is guaranteed
  • only processed for legitimate purposes.

This last element requires organizations to maintain a system which tracks the basis on which the data was collected (e.g., legal obligation, consent, legitimate interest, vital interest of the individual) and the corresponding notices and/or consent forms.

As under the existing regime, people living in Europe have certain rights against anyone that processes their information. These include the right to:

  • access the information (including receiving copies)
  • rectify wrong information
  • object to the processing
  • demand deletion of information (including the so-called right to be forgotten)
  • demand transfer of information.

These rights require companies to be able to locate personal information and to respond promptly and comprehensively to such requests. Please keep in mind that such a process also needs to address how to update, delete, etc. data that is processed by affiliates, vendors, subcontractors, etc. and copies of such data. The enhanced enforcement tools (e.g., increased fines) combined with the fact that a large portion of complaints filed with the local data protection authorities relate to these rights, should incentivize everyone to allocate the necessary resources to develop and maintain a compliant process.

The new law also introduces the concepts of privacy by design and default. These concepts are based on the idea that new processes and systems must be designed from the beginning to comply with privacy laws. For example, they must secure data (encryption), restrict access, becapable of deleting or transferring data, reduce the risk of data breaches, etc. In addition, the new regulation demands that organizations maintain a record of all processing activities.

2018 will see the first comprehensive data breach notification obligation. In addition to the unauthorized access, deletion or alteration of personal data, the loss of such data must also be reported to the supervisory authorities, unless a breach is unlikely to result in a risk for the rights and freedoms of the affected individuals. The affected individuals must be informed if the breach is likely to result in a high (!) risk for their rights and freedoms (this is not the case if encryption or similar tools are employed). Supervisory authorities must be informed within 72 hours.

Organizations with core activities that require regular and systematic monitoring of individuals on a large scale or that process large scales of sensitive information must appoint a Data Protection Officer.

Transfers to or access from countries outside of the EEA continue to be restricted and subject to additional safeguards. Court or administrative orders from outside of EEA to transfer or disclose personal data (e.g., in the context of discovery or an investigation) cannot be complied with, unless they are authorized pursuant to EU law.

Finally, under the new regime, the administrative fines have increased from a cap of about EUR 1 million to EUR 20 million—or up to 4% of the worldwide revenue in the proceeding financial year. In most instances, the fines will be substantially lower, but for egregious conduct we can expect substantial fines (the GDPR mandates that fines must be effective, proportionate and dissuasive).

For more information about what another major privacy law, Safe Harbor, means to records managers, see my recent data privacy blog on the topic.


More in IG, Regulations & Compliance