- offer goods or services to EU data subjects; or

- monitor the behaviour of EU data subjects,

regardless of whether the processing of the data takes place within the EU or not.

- This change will catch many non-EU businesses that were not previously required to comply with the Data Protection Directive.

Notification

'Notification' by or 'registration' of controllers with supervisory regulators will be scrapped.

This always seemed a pointless waste of time and is to be welcomed. However, the associated notification fees will presumably have to be recouped somehow.

Increased fines

The maximum fine that each of the EU national data protection authorities can impose will be significantly increased to up to 4% of annual worldwide turnover or €20 million (whichever is the greater).

- Currently, fines under national law vary and are relatively low (eg in the UK, the maximum fine is £500,000).

- The increase in the maximum level of fines will be significant and may mean much more attention is given to compliance. However, a lot will depend upon what fines are actually levied in practice. To date, national authorities have varied quite considerably in the extent to which they have imposed fines within the scope of their existing powers. There may also be a knock-on effect as greater attention is paid by controllers and processors to contractual data protection provisions, especially liability and related indemnities for breaches of security.

Stricter consent requirements

Silence or inactivity will not constitute consent to use of data. Consent must be freely given, specific, informed and unambiguous, provided by clear affirmative statement or action.

A positive statement or other evidence of affirmative agreement from the data subject will be required (eg by actively ticking a blank box - pre-ticked boxes will not suffice).

Appointment of Data Protection Officer (“DPO”)

- A new mandatory requirement is being introduced for the appointment of a DPO for the public sector and in the private sector, where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

- The DPO’s main tasks will be to ensure and monitor compliance with the GDPR.

- The DPO can be an employee but has to be able to perform their duties and tasks ‘independently’.

Many organisations will already have an equivalent role.

Strict rules for notification of data breach

- The controller will be required to notify a personal data breach to the supervisory authority without undue delay and, where feasible, within 72 hours, with an explanation of the reasons for any delay.

- The individuals whose personal data could be adversely affected by the breach are also to be notified without undue delay.

- These requirements could mean that data protection authorities are inundated with notifications and it is unlikely they will have the resources to cope.

- Having to notify data subjects will be expensive and has been controversial. How it will play out in practice and be received by individuals will be interesting to see.

Single set of rules and ‘lead authority’

- There will be a single set of personal data protection rules, valid across the entire EU.

- Where a controller or a processor is established in more than one Member State, the data protection authority of the main establishment of the controller or processor will be the ‘lead authority’ to supervise the processing activities (a so-called ‘one-stop shop’).

- A Regulation is a form of EC legal instrument that has ‘direct effect’ which means it does not have to be implemented into national law. Differences in implementation between different Member States have led to some inconsistency. However, much will still depend on whether individual enforcement agencies interpret and apply the Regulation differently.

- The ‘one-stop shop’ should be welcomed as it will hopefully reduce expensive duplication.

Increased rights for individuals

Certain rights for individuals are to be enshrined in the legislation such as the right ‘to be forgotten’ and to ‘data portability’ between service providers.

‘Privacy by design’ and ‘privacy by default’

Data protection safeguards will be required to be built into products and services from the earliest stage of development. Privacy-friendly default settings should be the norm eg on social networks.

Processors’ obligations

For the first time processors will be under a direct obligation to comply with certain requirements of the legislation.

- Previously processors were only responsible for security and then only indirectly via a contractual commitment to the controller.

- Whereas beforehand processors and controllers could apportion financial risk as between themselves and processors could agree a cap on liability, processors will now be exposed to potentially greater risk because of the penalties that can be applied against them directly.