As of 25 May 2018, the General Data Protection Regulation ((EU) 2016/679) will be directly applicable in all European Union member states, including the UK. "Directly applicable" means that member states are not required to introduce any implementing legislation; the General Data Protection Regulation has automatic force of law. Thee new legislation repeals the Data Protection Directive (95/46/EC), which, in the UK, was implemented via the Data Protection Act 1998.
What a failure to adhere means for your business
Consequently UK businesses need to be readying themselves now for the changes that will result from this legislative shift. Waiting until 25 May 2018 will be too late as its impact will be immediate. Moreover, the repercussions for failing to comply with the requirements of the General Data Protection Regulation are stiff. Financial penalties will operate in a tiered style. National data protection authorities will be permitted to levy fines of up to the higher of Euro 20 million or 4% of annual worldwide turnover for infringements relating to the basic principles of data processing or international transfers. Other infringements may result in a fine of up to the higher of £10 million or 2% of annual worldwide turnover. The scope for national data authorities to exercise discretion in these matters is intentionally curtailed; the General Data Protection Regulation includes a list of aggravating features, such as the duration of the infringement and its nature and gravity, to take into account when determining fines. To put these potential penalties into context, it is estimated that, in the UK, fines issued in the last financial year by the Information Commissioner's Office under the Data Protection Act 1998 would have been 79 times higher had they been issued under the General Data Protection Regulation. Consequently, it is no surprise that the potential penalties are one of the chief areas of concern for businesses.
Why is it happening?
The General Data Protection Regulation is being introduced to strengthen data protection measures across the EU. Furthermore, the chosen method of implementation makes clear it is intended to harmonise data protection across member states. Its implementation as a Regulation rather than the more frequently used method of a Directive straightaway reduces the scope for member states to apply different interpretations and agendas. Businesses and organisations hoping that Brexit may avert the effects of the General Data Protection Regulation must think again. Currently, the UK is still an EU member state and, as such, the General Data Protection Regulation applies automatically here as it does to all other member states. Although, if and when the UK leaves the EU, the UK will theoretically then have the ability to remodel the General Data Protection Regulation to suit itself, it is unlikely to do so, at least in the short term. Apart from anything else, the UK government will almost inevitably face calls not to place further (possibly insurmountable) obstacles in the way of UK businesses offering services within the EU.
Who it applies to?
A great deal of work has already been undertaken by the UK Information Commissioner's Office and the Article 29 Working Party (made up from national data protection authorities across the EU) to identify key areas of change and concern. One of the most significant concerns the wider application of the General Data Protection Regulation. Not only will it apply to all businesses established in the EU, it will also catch those businesses that have no formal establishment inside the EU but that nonetheless undertake "real and effective" activity there. Businesses that conduct data processing activities that either offer goods or service (whether for payment or for free) to individuals located in the EU or monitor the behaviour of data subjects will find themselves firmly within the ambit of the General Data Protection Regulation.
What is expected of companies?
As well as an expanded territorial reach, the General Data Protection Regulation places new and onerous accountability obligations onto data controllers. As part of these enhanced accountability obligations, both data controllers and data processors may be required to designate an individual as a Data Protection Officer and this must be somebody with the appropriate specialist knowledge. Data processors must also be aware that, under the GDPR, they will have direct obligations to meet. These include maintaining written records of data processing activities by all data controllers within the organisation. There is a requirement to notify any breaches of the obligations under the legislation to the Data Processing Authority. This must be done without "undue delay" and, wherever possible, within 72 hours of knowledge of the breach. Data controllers must provide a reasoned explanation if they cannot meet this 72 hour deadline.
Prepare your business for GDPR with a free course
Although the relevant know-how on the requirements of the General Data Protection Regulation and their perceived effects is percolating through to businesses and other interested parties, there is very little time left to get up to speed and ensure compliance. It is essential for affected organisations to identify any gaps in their current data protection regime in order to ensure they are compliant with the new regime. Businesses concerned about the implications of the forthcoming changes and their own ability to identify problem areas need to act fast and decisively. Signing up for Me Learning's GDPR free course for businesses will provide a clear and thorough overview of:
- Why the General Data Protection Regulation has been introduced
- The key differences between the Data Protection Act 1998 and the General Data Protection Regulation
- The primary aim of the General Data Protection Regulation
- Who the General Data Protection Regulation applies to and how they will be affected
- Whether Brexit will make a difference
- The top five implications for organisations in the UK
Interested parties can self-register for Me Learning's GDPR free course for businesses here. Access to the content will follow registration. Suitable for all staff across organisations of all types and sizes, the course provides accessible and easily digestible data protection training.
Louise Boyd at Me Learning
Image Credit: NakoPhotography / Shutterstock