It’s not often that legislation as significant as the General Data Protection Regulation (GDPR) comes into force. The new GDPR is an EU regulation which modernises the legal framework surrounding personal data. The content of the GDPR will likely apply to the UK even after the UK leaves the EU.
From 25th May 2018, the regulation will have direct effect in Europe (including the UK). This means that its contents does not need to be transposed into a national act of parliament (as was the case with the previous Data Protection Directive), and the articles of the regulation will apply within the EU as they stand. The GDPR is very likely to affect you if you process personal data within the EU.
The GDPR will apply to EU “established” data controllers and processors. The term “established” is likely to be interpreted broadly and flexibly. Seemingly, a company which markets its goods/services to EU residents will be considered “established”, even if that company does not consider itself to be an EU-based company. The GDPR will also apply to non-EU based companies that “monitor” EU data subjects.
The GDPR introduces various new concepts such as “the right to be forgotten”, data portability, personal data breaches and the concept of “privacy by design”.
It will also introduce strict new rules surrounding validity of data subject consent: consent must now be freely given, specific, informed and unambiguous, and must be given by the data subject taking “affirmative action”. As such, if you rely on consent to control or process personal data you must ensure that such consent is still sufficient under the GDPR. For example, consent can no longer be “bundled” or implied – separate consent must be obtained for each separate processing activity.
The possibility of regulators imposing harsh fines has also been introduced. Some breaches may attract fines of up to EUR 10,000,000 or 2% of annual worldwide turnover (whichever is greater), with other breaches attracting up to the greater of EUR 20,000,000 or 4% of annual worldwide turnover. As such, data controllers and processors must take significant steps to ensure compliance with the GDPR and in order to reduce the risk of fines.
We recommend that businesses work towards complying with the existing legal framework (based on the Data Protection Act 1998) and assess their internal procedures and policies over the next 12 months to ensure compliance with the GDPR by the implementation date.
If you wish to discuss any data protection related issues our specialist lawyers will be able to assist. Please feel free to give us a call on 020 7288 6003 or email firstname.lastname@example.org.