On 4 May 2016, the new legislative package on data protection was published in the Official Journal of the EU. The package was the culmination of several years of EU debate and is a major step towards a Digital Single Market. The legislation consists of the General Data Protection Regulation (GDPR) and the  Police and Criminal Justice Authorities Directive in the area of law enforcement. The GDPR introduces significant reforms to the way personal data is collected, used and shared will have direct legal effect across all EU Member States from 25 May 2018. The transition period of 2 years gives Member States and stakeholders time to fully prepare for the new legal framework.

The European Commission has published a Communication in advance of the approaching deadline providing guidance which outlines what the Commission, national data protection authorities and national administrations need to do in order to bring the preparation to a successful completion and also sets out measures the Commission intends to take in the coming months.

The EU Article 29 Working Party’s (comprising the EU’s member state data protection authorities) has prepared guidance on the interpretation and application of key provisions of the General Data Protection Regulation (GDPR).

1. Extra-territorial effect
The GDPR will have extra-territorial effect, being applicable to a controller or processor not established in the EU, if the data processed belongs to a data subject in the EU.

2. One stop shop
A more harmonised EU data protection regime, including increased co-operation and consistency between EU regulators and a ‘one-stop-shop’ for controllers. This one-stop-shop mechanism allows a company which is active in several member states to deal only with the data protection authority in the member state of its main establishment. This mechanism also provides for a single decision applicable to the entire EU territory in case of disputes.

3. Consent
Consent must be freely given, specific, informed and unambiguous. Furthermore, if data has been collected for a specific purpose, consent must be obtained for additional processing which is incompatible with the original purpose. Consent may be withdrawn at any time and it must be as easy for a data subject to withdraw their consent as to give it. The data subject should be informed of the existence of profiling and the consequences of such profiling. Consent must be explicit for sensitive data. The data controller will be required to demonstrate that consent was given.

Companies cannot collect data from children under 16 without verifiable parental consent.

4. Right to be forgotten
All subjects have the right to have their retained data removed from a database upon demand. Alongside this obligation is that of taking reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or indeed copies of, that data.

5. Accountability and Privacy by Design
The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. Data controllers must implement a number of security measures, including the requirement in certain cases to notify personal data breaches. To future-proof the regulation, the principles of data protection by design and by default are introduced. The concept of privacy by design requires data controllers to consider privacy risks at the outset of any new project.

6. Data Protection Officer
Data controllers and processors must designate a Data Protection Officer in certain circumstances as part of their accountability programme. The mandatory appointment of a data protection officer will be restricted to limited circumstances involving sensitive personal data or the monitoring of data subjects.

7. Mandatory data breach notification
In the event of a data breach, there is a mandatory obligation to notify the supervisory authority without delay and, where feasible, within 72 hours of the breach. In certain circumstances involving high risk to the data subject due to the breach, the data subject must also be notified without undue delay.

8. Stronger sanctions
The GDPR will provide for two tiers of sanctions, with maximum fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is greater.

9. Binding Corporate Rules
Binding Corporate Rules (BCR) will be given statutory recognition - they must be legally binding and apply to and be enforced by every member within the controller’s group of undertakings engaged in a joint economic activity, including their employees. Criteria for adequacy decisions are set-out, and new possibilities for adequate protection are likely to be provided in the form of codes of conduct and/or certifications.

10. Notification system
Data controllers will no longer be required to notify or seek approval with their local data protection authority. In its place, data controllers are required to put in place effective procedures and mechanisms focussing on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Data controllers will need to carry out a data protection impact assessment to consider the likelihood and severity of the risk, which would apply in particular to large scale processing operations.