The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will be the most significant change to the data protection regime in the EU for a generation.
Despite the Brexit vote, it is anticipated that the UK will, in the short term at least, continue to implement the GDPR. Going forward, the UK will be keen to enable trade with the EU and wish to be considered an adequate jurisdiction for data protection, so it is very likely that the UK will continue to maintain a law similar to the GDPR in the longer term. In any event, if your business has operations in other EU Member States, GDPR compliance will be essential.
It is, therefore, important that UK businesses are aware of and prepared for the upcoming changes. Below is a brief summary of some of the concepts to be introduced by the GDPR:
HARMONISATION OF DATA PROTECTION REGIMES
The aim is to produce a single legal framework that will apply across all EU member states. Businesses will be able to rely on a consistent set of data protection compliance obligations in different EU member states.
EXPANDED TERRITORIAL SCOPE
Unlike the position under the Data Protection Directive (DPD), non-EU businesses with operations in the EU will be required to comply with the GDPR. This means that many non-EU businesses that were not previously required to comply with the DPD will be required to comply with the GDPR.
INCREASED ENFORCEMENT POWERS
The potential fines that could be enforced against non-compliant businesses will be increased considerably. Fines will be set on a two-tier basis:
- For breaches in relation to data
processor contracts, internal record keeping, data security and
breach notification, fines could be up to the greater of:
- 2% of annual worldwide turnover of the preceding financial year; or
- €10million; and
- For breaches of the data protection
principles, conditions for consent, data subjects rights and
international data transfers, fines could be up to the greater
of:
- 4% of annual worldwide turnover of the preceding financial year; or
- €20million.
RISK-BASED COMPLIANCE
The GDPR adopts a risk-based approach to compliance. This means that businesses will have to bear responsibility for self-assessing the degree of risk that their processing activities pose to data subjects.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.