Last December, the European Commission announced that consensus had finally been reached on the text of the General Data Protection Regulation (GDPR). The three independent law-making bodies (the European Commission, Parliament and Council) had combined their efforts under the leadership of Jan Philipp Albrecht, the German MEP and Rapporteur on the GDPR.
Since the European Commission's announcement, the European Parliament and the Council of Ministers have formally adopted the GDPR. It has been revised somewhat since the text that was published in December 2015 , though the changes are largely aesthetic and not, we think, substantive from a legal perspective.
So, what are the key features of this new Regulation? The European Commission's press release put the increased rights of data subjects front and centre. Some highlights of the agreed text include:
- An increased threshold for obtaining consent – this will now have to be "unambiguous" for all processing of personal data, with the clarification that this requires a "clear affirmative action", and that consent has to be "explicit" for sensitive data. Charities will need to comply by ensuring that consent boxes are actively "ticked" and that requests for consent are worded in a clear way. This is particularly important given the higher possibility that charities are processing data from potentially vulnerable people such as the elderly.
- A "right to be forgotten" – while this was one of the more contentious parts of the legislation, this right (for individuals to have their data deleted if they so wish, and provided there are no legitimate grounds for retaining it) survived in the final text of the GDPR. No doubt this will continue to be controversial in some quarters, and indeed the European Commission's press release sounded almost defensive, saying "This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press".
- Also falling in the "pro-data subject" category are new rules concerning data protection by design and by default: privacy safeguards must be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps. This is particularly important for newly incorporated charities. Under the new Regulation a new charity will need to have the correct data protection measures from the start. As such, this is an important point to consider on the checklist when setting up a charity.
- Rights for data subjects not to be subject to profiling, added to existing rights to prevent automated decision-making – except in certain limited circumstances this would now require explicit consent. Charities which use software to profile their supporters or beneficiaries via their website or other information sources in order to target their marketing must carefully consider their practices in light of the new Regulation.
- Significantly, the GDPR is armed with massively increased sanctions and enforcement provisions, meaning that (at the extreme end of the spectrum) data protection authorities will be able to fine companies who do not comply with the GDPR up to 4% of their global annual turnover. This is towards the higher end of the spectrum of potential fines which were discussed during the various law-making bodies' negotiations. A fine such as this could have serious consequences for any company and would certainly have grave implications for a charitable company.
The European Commission was, however, keen to stress the benefits of the GDPR for (small) businesses, namely:
- Harmonised law across Europe, a "One-stop-shop" regulator, i.e. a single supervisory data protection authority and the abolition of formal notification / registration requirements, reducing red tape and (in theory) costs.
- Thresholds for certain compliance obligations, so that only medium to large-sized businesses are caught: for example, the requirements to appoint a Data Protection Officer, to keep records of processing activities or to report all data breaches to individuals.
- Clearly, though, there are other aspects of the GDPR which will not be so gladly received by data controllers (and indeed data processors, which will have certain new obligations under the GDPR). For example, the duty to notify data breaches to the relevant data protection authority (and, for larger companies, the affected data subjects) and the requirement to appoint full-time Data Protection Officers (in those businesses which process sensitive data on a large scale or routinely monitor large amounts of personal data) will no doubt feel cumbersome for some, especially given the bolstering of the GDPR's sanctions and enforcement regime mentioned above. The UK's larger charities will need to appoint a Data Protection Officer.
The GDPR will now be translated into all the languages of the Community and then published in the Official Journal of the EU, probably some time in the next few months. It will take effect two years later, in 2018.
Be sure to keep a look out for more briefings on the detail of the GDPR and its implications for charities in the coming months. In the meantime, you can find the English language version of the GDPR text online.
If you require further information on anything covered in this briefing please contact Alan Baker, ([email protected]; 020 3375 7441), or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2016