With the European Parliament’s agreement on a final text for the General Data Protection Regulation on 17 December 2015, the new European data protection regulation is now likely to enter into force in spring 2018.
In this final version of the regulation, large organisations will have to pay specific attention to the five following provisions:
- The mandatory appointment of a data protection officer but only for organisations whose core activities consist of processing a large amount of personal data (‘regular and systematic monitoring of data subjects on a large scale’);
- Data Protection Impact Assessment will become mandatory when there is a high risk for the rights and freedoms of individuals , in particular when using new technology;
- Fines for breaching the regulation of up to 4% of global turnover;
- The notification of a personal data breach to the supervisory authority no later than 72 hours after having become aware of it;
- No effective system of ‘one decision, one outcome’ for cross-borders cases. EU citizens could still complain to their local data protection authority even if the case is already pending in another EU jurisdiction.
The final version of the regulation still gives each national data protection authority a margin of discretion on a case-by-case basis to matters like sanctions, definition of high risk processing, claims handling and so on.
This is preventing the regulation from achieving the initial ‘one stop shop’ wanted in the original proposal from the European Commission in 2012.
This compromise with the Council (co-legislator) and the European Commission is the result of many months of negotiations among the three EU institutions. The text has been adopted by the Civil Liberties Committee, which is leading the dossier at the European Parliament, and will now be formally endorsed during a plenary session of the Parliament in March or April.
Two years after its publication in the official journal of the EU, the new regulation will be fully applicable in 2018 in the European Union.