The Long Awaited EU General Data Protection Regulation (GDPR) Accepted! Are you ready?

The EU General Data Protection Regulation (GDPR) was accepted last week (on April 19, 2016). Although the penalties for non-compliance with GDPR will not be enforced until mid-2018, organizations should already move towards compliance as many of the obligations will take time to integrate.

Recent technological innovations, such as social networking sites, cloud computing and location-based services, as well as highly publicized data breaches both by government security services as well as by hackers, have created a need to simplify data protection rules, and to bolster consumer trust in the protection of their personal data. The European Union (“EU“) Parliament adopted on April 14, 2016, the new EU General Data Protection Regulation (“GDPR“), which aims to strengthen and protect individual fundamental rights to data protection. The GDPR will replace the antiquated EU data protection regime consisting of the 1995 Data Protection Directive[¹], and 28 national data protection laws. The GDPR will be applicable to all EU Member States – and will not have to be further implemented by national legislation on a country by country basis.

The GDPR aims at harmonization of data protection laws across the EU, providing businesses and EU data subjects with unified European laws and rules for data protection as well as a centralized supervisory authority. This new set of rules will streamline the current 28 local data protection legislations and authorities across Europe, and eliminate the need to comply locally with each set of national data laws with varying interpretations of the original EU framework. The goal of the GDPR is to ensure stronger enforcement of the privacy protection rules and to set global data protection standards.

What does it all mean for you?

The GDPR will have a significant impact on organizations based in the EU that process personal data, as well as on non-EU organizations that target consumers in the EU and where their processing activities relate to offering goods or services to, or to the monitoring of, EU data subjects.

The GDPR is expected to be published in the EU Official Journal by June, within a month after that, the GDPR will be officially considered enforceable (barring any last minute changes that may be made during this time). There will be a two year implementation period, which will require that organizations be fully compliant sometime in mid-2018. Organizations should become familiar with the provisions of the GDPR and begin planning for implementation now, since once the GDPR is enforced, violations of non-compliance could result in high penalties.

The GDPR includes the following key elements:  

(1) Consent: the GDPR requires freely given, specific, informed and unambiguous consent to support lawful processing of personal data (shown either by a statement or a clear affirmative action which signifies agreement to such processing). Such consent can be withdrawn. The consent has to be “explicit” for sensitive data. Existing consent will be considered applicable, provided that it meets the new requirements. Where personal data is processed for direct marketing, individuals may have the right to object to such processing, including to any related profiling activity, at any time and free of charge. This right should be explicitly brought to their attention and will be presented clearly and separately from other information;

(2) “Right to be forgotten”: the GDPR adopts the “right to be forgotten”, allowing data subjects the right to require a data controller to erase personal information relating to them, without undue delay, if there are no legitimate grounds for retaining it;

(3) “Right to data portability”: the GDPR requires organizations to ensure that data subjects can easily transfer their personal information from one service provider to another; such right will enable the data subjects to exercise greater control over the transmission of their personal information between service providers and will make it easier for them to understand how their personal data is processed;

(4) “Data Protection Officer“: pursuant to the GDPR, in certain circumstances, data controllers and processors will have to appoint a Data Protection Officer (for example, when they are processing sensitive personal information or where their core activities consist of large scale processing and systemic monitoring of data subjects). The Data Protection Officer shall be responsible for reporting data breaches and implementing notification mechanisms;

(5) Data Breaches: according to the GDPR, under certain circumstances, companies must notify the competent data protection authority of data breaches without undue delay (and in some cases to the data subject themselves), and where possible, within 72 hours of awareness of breach. Where this obligation is not met, justification must be provided;

(6) Accountability and “Data protection by design and by default“: The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. This includes, inter alia, requiring them to (i) maintain certain documentation, (ii) conduct a privacy impact assessment before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation, and (iii) implement data protection by design and by default, i.e., take privacy risk into account throughout the process of designing a new product or service, and adopt mechanisms to ensure that, as default, only personal data which are necessary for each purpose of the processing are processed, used and retained and to ensure that, tools such as pseudonymisation or anonymization, which are designed to implement data protection principles, will be integrated as safeguards into processing of information. The GDPR recognizes Binding Corporate Rules (BCRs) for controllers and processors of data as means of legitimizing inter-group international transfers of data;

(7) Stronger enforcement: A data protection authority will act as the lead regulator for each supervisor authority to ensure compliance issues throughout the EU. Non compliance could lead to heavier sanctions. The data protection authorities will be able to levy financial sanctions of up to 4% of the global annual turnover of the infringing company or 20 million Euros, whichever is greater;

(8) Data Processors: One of the key changes in the GDPR is that data processors have direct obligations. Companies processing information on behalf of other companies will be required to comply with a number of specific data protection related obligations (such as, implementing technical and organizational measures, notifying the controller without undue delay of data breaches and appointing a data protection officer, if required). These new obligations will likely impact how data protection matters are addressed in supply agreements;

(9) Transparency: Organizations will have increased transparency obligations, to inform data subjects of the existence of the processing operation and its purposes; privacy notices will need to include much more detailed information. Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request and if applicable obtain, free of charge, in particular access to data, rectification, erasure and to exercise the right to object.

We recommend that our clients consider, inter alia, the following to prepare for the GDPR:

1. Performing a data inventory to understand what personal information and sensitive information they collect, how it is processed, where it is stored, how it is protected and who may have access to it.
2. Conducting privacy impact assessments if the organization may be engaging in high-risk personal information processing.
3. Drafting or, if applicable, revising the company’s written information security policies to ensure the appropriate technical, administrative and physical measures to protect personal information. Ensure that procedures are in place to continually monitor compliance with these policies prior to, during and after processing of personal information.
4. Implementing privacy by default and by design procedures the company’s product development process to ensure that privacy risks are considered early in the process and that the products and services only collect and maintain the minimum amount of personal data necessary for the proper performance of the company’s products and services.
5. Ensuring that the company has clear policies in place which meet the required standards. The company should review and update the company’s privacy policies to ensure they are easily accessible, include clear and plain language and include full disclosure of the company’s personal information collection, use and processing.
6. Reviewing and revising, if applicable, the company’s methods of obtaining consent from data subjects to ensure that freely given, specific, informed and unambiguous consent is provided before processing data.
7. Reviewing the company’s ability to comply with the data subject’s right to be forgotten and the right to data portability. The company should ensure that it is able to erase personal data and transfer the data to another provider when technically feasible.
8. Reviewing the company’s cyber-incident response plans and policies and updating them if necessary to be able to react quickly to any data breach and to notify in time of data breaches.
9. Examining whether the company needs to appoint a data protection officer.
10. Considering whether to adopt binding corporate rules to facilitate intra-group transfers of data.

Application in Israel

Israel’s approach to privacy generally aligns with the European Union approach to privacy, recognizing a broad right to privacy. In 2011, Israel was recognized by the EU as a non-EU state affording adequate levels of data privacy protection. We anticipate that the Israeli Law, Technology and Information Authority (“ILITA”), which is responsible for proposing regulations in this area, will provide some guidance in light of the new GDPR regime and in light of the anticipated implementation of the Privacy Shield (regarding, inter alia, transfer abroad of personal data). We will provide any updates once ILITA will publish its position with respect to this matter.

GKH’s IP and Data Privacy Group is available to assist clients prepare for the impact of GDPR on their business.

______________

[¹] Formally Directive 95/46/EC.

For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP Practice, at ellat@gkh-law.com or 03-6074588.

This alert is prepared as an informational service to clients and colleagues of Gross, Kleinhendler, Hodak, Halevy, Greenberg & Co. (GKH) and the information presented is not intended to provide legal opinions or advice. Readers should seek professional legal advice regarding the matters about which they are particularly concerned.