The EU General Data Protection Regulation (GDPR) will become legislation in May 2018 which will be a significant change for UK businesses. GDPR will introduce new laws such as substantial fines for processing data with the consent of data subjects. This regulation will update various elements of the Data Protection Act 1998 (DPA98) bringing in new requirements for UK companies to adhere to. Regardless of BREXIT, European law will continue to be in effect for 2 years after Article 50 is triggered, and the ICO have stated EU GDPR will be embedded into revised data protection laws in the UK from 25th May 2018.
This new legislation is designed to allow individuals to manage their personal data as well as allow businesses to better access a digital single market with a unity of regulations throughout. The GDPR was ratified and became law in the EU in 2016. Member states in the EU have a two-year implementation period and enforcement of the regulation should commence by May 2018.
Implementation of GDPR will allow regulators to have the authority to issue fines and penalties equal to 2% of a business global revenue for any violation against security, record-keeping and privacy impact assessment obligations. In addition, violations related to data subject rights and cross-border data could result in fines of 4% of the businesses global turnover.
Data Protection Officers (DPO’s) will also need to be appointed for larger firms. Responsibilities of the role include advising employees of their obligations to comply with the GDPR and monitoring compliance. Like the DPA98 the GDPR will require data controllers to have a proper reason for processing personal data. In addition, the GDPR has a “right to be forgotten” law which requires data subjects to erase personal data if requested to do so. Data Processors who are not subject to the current DPA98 must follow certain new requirements of the GDPR and there will be great obligations when outsourcing processing of data to third parties which could lead to compensation in the event of non-compliance. A guide to GDPR can be found: here.
GDPR is one of the most significant changes to European legislation in a generation. Regardless of BREXIT the EU is one of the UK’s largest trading partners and as such anything less than a mirror image of the regulations will only be a hindrance for the UK when negotiating its exit from the EU. UK businesses therefore have a matter of months to get up to speed and comply with a range of new onerous data protection regulations. It is recommended as a first step a cyber risk team should be created internally to bring together the different stakeholders of the business and plan how the regulation will impact the business, its customers and what needs to be done as a priority to comply.