The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will be the most significant change to the data protection regime in the EU for a generation.
Despite the Brexit vote, it is anticipated that the UK will, in the short term at least, continue to implement the GDPR. Regardless, the UK will be keen to enable trade with the EU and to be considered a safe jurisdiction for data protection, so the UK is likely to continue to maintain a law similar to GDPR in the long term. In any event, if your business has operations in other EU Member States, GDPR compliance will be essential.
So, it’s important that UK businesses are aware of and prepared for the coming changes. Below is a brief summary of some of the concepts to be introduced by GDPR.
HARMONISATION OF DATA PROTECTION REGIMES
The aim is to produce a single legal framework that will apply across all EU member states. Businesses will be able to rely on a consistent set of data protection compliance obligations in different EU member states.
EXPANDED TERRITORIAL SCOPE
The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of, EU data subjects.
So, unlike the proposition under the Data Protection Directive (DPD), non-EU businesses with operations in the EU will be required to comply with the GDPR. This means that many non-EU businesses that were not previously required to comply with the DPD will be required to comply with the GDPR.
INCREASED ENFORCEMENT POWERS
The GDPR establishes a tiered approach to penalties for breach which enables imposed fines for:
- Breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent, data subjects rights and international data transfers – up to the higher of 4% of annual worldwide turnover or EUR 20 million; and;
- Other specified infringements, for example, data processor contracts, internal record keeping, data security and breach notifications – a fine of up to the higher of 2% of annual worldwide turnover or EUR 10m.
The GDPR adopts a risk based approach to compliance. This means that business will have to bear the responsibility for self-assessing the degree of risk that their processing activities pose to data subjects.
GET IN TOUCH
We always keep a close eye on matters that could affect your business so that we can provide clear and sound advice on how to best safeguard your commercial interests. Please contact us if you’d like to discuss any aspect of data protection, compliance and security.