Data privacy lawyers received the ultimate Christmas present in 2015, the emergence of the GDPR from the trilogue negotiations. With the start of a new year it is a good time to look at what the key features of the GDPR will be.
However, before we start we need to take a moment to reflect on how the GDPR will work: it will have effect in all 28 Member States meaning that there will be no need for EU governments to implement the GDPR locally and existing national data privacy laws and the EU Directive will fall away.
With that moment of reflection out of the way, what are the key features of the GDPR? As is to be expected with any new legislation there is quite a lot to digest so this blog post deals primarily with those features that HireRight feels are of key relevance for screening services.
- The GDPR has a much wider scope than the current regime and now has extra-territorial effect in certain circumstances.
- More information is caught by the definition of personal data i.e. location data, online identifiers, factors specific to an individual’s physical, mental, physiological, genetic, economic, social and cultural identity.
- The issue of consent is addressed and requirements are tighter than ever. Under the GDPR consent has to be freely given, specific, informed and unambiguous and it must be given by a “clear affirmative action”. Also consent has to be as easy to revoke as to provide and has to be presented in a way that is “clearly distinguishable” from any other information. The threshold for sensitive personal data has not changed and any consent has to be “explicit” but the information contained within the definition has been extended to include genetic and biometric data. Consent of minors will be 16 if using online services and in all other instances parental consent will be needed.
- The GDPR now takes a prescriptive approach to data protection notices i.e. what the data subject is told at the time of data collection. Needed are specifics about the identity and contact details of the data controller, purposes or processing, who will receive data, how long will the data be stored and how can the data subject ask for rectification or deletion.
- Data controllers will be required to take technical and organisational measures to ensure that, by default, only personal data necessary for the specific purpose of the processing is processed “privacy by design”.
- The GDPR includes a focus on the rights of data subjects with transparent information, communication and methods of exercising those rights being emphasised.
- Regulators will be able to fine data controllers and data processors for breach of the GDPR. Those fines have much more “bite” under the GDPR: the maximum fine is the greater of €20,000,000 (USD$21,808,000) or 4% of the annual turnover for a company/undertaking for significant breach (such as breach involving sensitive personal data). Smaller fines of up to the greater of €10,000,000 (USD$10,903,000) or 2% of annual turnover may be levied for lesser breaches (such as failure to maintain proper records). That is some increase: in context the current fines the UK’s Information Commissioner can impose are currently £500,000.
What stays the same?
- There are no changes to data security: data controllers and data processors are still required to use appropriate technical and organisational measures to ensure an appropriate level of security. That being said the GDPR now expressly mentions both pseudonymisation and encryption as methods to consider.
- The mechanism for data transfers outside of the EEA remains pretty much the same with the “white list” countries and model clauses remaining valid. However the GDPR does recognise that the Commission should monitor these methods on an ongoing basis. Binding Corporate Rules are also officially recognised but the GDPR does not deal with the issue of Safe Harbor.
The GDPR will not be in force for another two years but it is worth starting to plan ahead in order to future proof systems and processes.
Please be advised that this is being provided for informational purposes only. It is not intended to be comprehensive and should not be construed or relied upon as legal advice. As with all legal issues, we recommend you consult your legal counsel.
Senior Legal Counsel, HireRight EMEA & APAC
 Other items of note not covered in this blog (i) “Pseudonymisation” (ii) The one stop shop for enforcement (iii) Data Privacy Impact Assessments (iv) Record Keeping (v) Breach Notification (vi) Mandatory Data Protection Officers