Wood said the the final approval of the EU General Data Protection Regulation (GDPR) marked “another step toward data protection reform”. The GDPR aims to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.
“Many of the principles in the new legislation are much the same as those in the current law, but there are important new elements, and some things will need to be done differently,” added Wood. “It will enhance the data protection rights of individuals and make organisations more accountable. The legislation will have a two-year transition period for organisations to make those changes.
“And of course the ICO will be here to support that work. Our work around implementing the reforms has started in earnest, particularly around identifying the key areas we’ll focus our guidance on. But there’s still plenty of work to do to make sure the UK is ready for the reforms in 2018.”
The regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date. Member states will have two years to transpose the provisions of the directive into national law.
Due to UK and Ireland's special status regarding justice and home affairs legislation, the directive's provisions will only apply in these countries to a limited extent.
The new rules include provisions on:
- A right to be forgotten
- "Clear and affirmative consent" to the processing of private data by the person concerned
- A right to transfer data to another service provider
- The right to know when your data has been hacked
- Ensuring that privacy policies are explained in clear and understandable language
- Stronger enforcement and fines up to 4 per cent of firms' total worldwide annual turnover, as a deterrent to breaking the rules.
The European Parliament’s vote ends more than four years of work on a complete overhaul of EU data protection rules. The reform will replace the current data protection directive, dating back to 1995 when the internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitised world of smartphones, social media, internet banking and global transfers.
"By setting European standards for information exchange between law enforcement authorities, the data protection directive will become a powerful and useful tool which will help authorities transfer personal data easily and efficiently, at the same time respecting the fundamental right to privacy", said Parliament's lead MEP on the directive Marju Lauristin (S&D, ET).
The GSMA also welcomes the new rulesJohn Giusti, chief regulatory officer of the GSMA, has also welcomed the changes to the GDPR and the launch of the Commission’s review of the e-Privacy Directive. The e-Privacy Directive ensures security in the processing of personal data, the notification of personal data breaches, and confidentiality of communications. It also bans unsolicited communications where the user has not given their consent.
“The introduction of stronger consumer rights and harmonised rules across Europe under the GDPR is fundamental to building trust and driving the uptake of new digital services by citizens across Europe,” said Giusti. “It is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness. Regulators will need to exercise particular care in interpreting GDPR requirements – around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries – to avoid stifling innovation in the digital and mobile sectors.
“All eyes are now on the review of the e-Privacy Directive. The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish. To this end, the GSMA calls on legislators to address the inconsistencies between the existing e-Privacy Directive 2002/58/EC and the GDPR. Consumers should be able to enjoy consistent privacy standards and experiences, irrespective of the technologies, infrastructure, business models and data flows involved or where a company may be located.”
The ICO has released a document titled Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now, which outlines important points key to businesses. These include guidance on awareness, making sure that decision makers and key people in an organisation are aware that the law is changing to the GDPR to “appreciate the impact this is likely to have,” states the guide. It also advises that companies document what personal data they hold, where it came from and who its shared it with – adding that some organisations may need to organise an information audit.
“Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA),” states the ICO document. “So if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”