On 14 April 2016 the European Parliament adopted the new General Data Protection Regulation (the “GDPR”) which regulation will replace the Swedish Personal Data Act and have a major impact on the way digital business is done in Europe. Expected to be published in the Official Journal in May, the new set of rules will be binding from May 2018. EU-companies and non-EU companies directing their business towards European consumers now have two years at their disposal to prepare for compliance with the new and heavy requirements.
The GDPR, described by some as a “regulatory earthquake”, will serve as one single law throughout Europe, thus companies will not be required to adhere to 28 different privacy laws in the EU. In addition to that, a one-stop-shop mechanism will enable enterprises that are active in several Member States to deal with only one data protection authority determined by their main establishment. These features of the GDPR, together with the abolishment of the notification obligation, aim at facilitating businesses, and will make it easier for Swedish digital businesses to scale within Europe. However, the majority of the rules will impose obligations on companies, as the GDPR intends to provide European citizens with more control over their personal data. Processors and controllers will not only be liable for damages but may be subject to fines amounting to 20 000 000 EUR or 4% of the total worldwide annual turnover (whichever is higher).
All companies processing personal data will have to re-examine the grounds on which data are collected as the concept of freely given consent is tightened up. Companies will have to adhere to the provisions to provide clear and understandable information on their privacy activities, to enable the new right of data portability and of the “right to be forgotten”. The majority of the companies will be obliged to maintain detailed documentation of their data processing. The requirement of parental consent for processing the personal data of children under age 16 or 13 (determined by the national legislation) will also serve as a burden to businesses, particularly in the digital sector. Many companies processing personal data will have to appoint a Data protection officer (DPO). And this is not the end of the list of obligations for companies.
Privacy will be a factor to be considered not only from a legal perspective but also from the tech- and commercial side as new concepts of privacy by design, pseudonymisation and data protection impact assessments are introduced. Companies will also be obliged to implement appropriate policies to notify the data protection authority of security breaches within 72 hours and to communicate such breaches to the concerned individuals. These new concepts will entail that privacy will have to be considered in all aspects, levels and all stages of business from the very beginning.
With the GDPR, not only the data controllers (who decide the purposes and the means of processing) but the data processors will also have direct obligations and liability for damages. As a consequence, Saas-providers, cloud service providers and other service providers processing data on behalf of their customers will have to revisit their current position as regards data protection in its terms of service and customer agreements, and existing contracts will have to be revised.
The GDPR provides only one derogation for SMEs; namely the requirement to maintain detailed documentation of their data processing. However, the exception granted does not apply if the processing is, among others, “not occasional”. Consequently, many tech startups and digital businesses will, irrespective of the size of the company, be obliged to comply with all the requirements of the GDPR from day one.
For further information, please contact Anna Forsebäck.