The new European General Data Protection Regulation ("GDPR") - Why you should care!
The new GDPR (Regulation (EU) 2016/679), set to come into force throughout the European Union on 25 May 2018, will replace existing data protection laws throughout Europe and bring about significant changes and enhanced regulatory requirements that could possibly have a significant impact on businesses around the world, irrespective of their location.
What are the key changes?
1. Extra-territorial applicability
The GDPR will apply to all EU and non-EU companies processing the personal data of data subjects residing in the EU ("Data Subjects"), regardless of the their place of establishment, location and whether the processing takes place in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
2. Increased penalties for non-compliance
The maximum fine for companies in breach of GDPR will be increased to 4% of their annual global turnover, or €20 Million per infringement (whichever is greater).
Requests to obtain consent of Data Subjects must be given in a clear, intelligible and easily accessible form, using clear and plain language, with the purpose for the data processing attached to that consent. It must be as easy to withdraw consent as it is to give it.
4. New data breach notification obligations
Companies will be required to notify the relevant European data protection authority of a data breach which is likely to "result in a risk for the rights and freedoms of individuals" within 72 hours of the breach coming into light. Companies will also be required to notify the individuals affected without undue delay where there is a high risk to the individuals concerned.
5. Strengthened Rights of Data Subjects
Data subjects will enjoy expanded rights, in particular: -
• Right to Access: The right to obtain confirmation as to whether or not their personal data is being processed, where and for what purpose. Companies will have to provide an electronic copy of the personal data without charge;
• Right to be Forgotten: This entitles Data Subjects to have the data controller erase their personal data, cease further dissemination of the data and potentially have third parties halt processing of the data; and
• Right to Data Portability: This entitles Data Subjects to receive the personal data concerning them, which they have previously provided, and have the right to transmit that data to another controller.
6. Legal requirement to implement "privacy by design"
Companies must take a proactive approach to ensure that an appropriate standard of data protection is adopted from the outset when designing systems. More specifically, data controllers "shall...implement appropriate technical and organisational measures…in an effective way…in order to meet the requirements of [GDPR] and protect the rights of data subjects".
7. Appointment of Data Protection Officers ("DPO")
Companies will be required to keep an internal record and appoint a DPO to implement and monitor compliance with the GDPR, where the core activities of data controllers or data processors consist of processing operations which require regular and systematic monitoring of: -
• Data Subjects on a large scale; or
• special categories of data; or
• data relating to criminal convictions and offences.
As preliminary measures, companies should:-
• Review current data protection systems and establish clear, internal regulatory policies and procedures to avoid committing any data breach.
• Set up an appropriate system in order to react promptly to any data breach and comply with notification requirements.
• Review and update privacy notices and policies to ensure they are written in clear and plain language, and easily accessible.
• Conduct regular training for employees on the handling of personal data.
• Ensure that third party data processors also implement GDPR-compliant security measures.
• Seek legal advice, where necessary.
• Most importantly (and needless to say), never forget about the rights of Data Subjects and know your obligations!
• The extra-territorial impact of this EU Regulation means that it will have a significant impact upon Hong Kong companies doing business in Europe.
Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.
Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; banking; financial services/corporate regulatory and compliance.
As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.
Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice. Please contact firstname.lastname@example.org if you have any questions about the article.