The implementation of the General Data Protection Regulation (GDPR) is fast approaching. As of 25 May 2018, it will be law in the UK – and a looming Brexit offers no get-out clause. Firstly, this is because the UK currently remains an EU member state and so is obliged to implement EU legislation. Secondly, although the status of EU legislation will be addressed in the UK government’s ‘Great Repeal Bill’, the government has already committed to preserving the foundations of the GDPR. Apart from anything else, the ability of UK businesses to operate in Europe will be hampered if the UK does not adhere to the GDPR’s prescribed standards.
The purpose behind the GDPR is the strengthening of EU-wide data protection measures. It is essential that businesses understand that the new regime represents a significant step up in terms of rigour and reach from the existing legislation (the Data Protection Act 1998). As the GDPR is a Regulation and so does not need any implementation of national legislation, its applicability will be instantaneous on the 25 May 2018.
Getting up to speed on the basics of the new requirements is essential, given the new penalties that will apply to infringements. A tiered system of penalties is to operate under the GDPR, permitting national data protection authorities to impose fines of up to 4% of annual worldwide turnover, or €20 million, whichever is the higher amount, for infringements concerning international transfers or the basic principles of data processing. Other infringements attract a lower maximum penalty – the higher of 2% of annual worldwide turnover or €10 million. Moreover, national authorities have limited scope to exercise discretion in levying these penalties. UK businesses could face fines that are 79 times higher than those currently imposed by the Information Commissioner’s Office under the Data Protection Act 1998.
Avoiding these hefty penalties will be the aim of all prudent businesses. To do so successfully will require an in-depth understanding of the GDPR’s requirements. Businesses must familiarise themselves with the new and very onerous accountability obligations to be placed on data controllers and processors. These include:
– a requirement for an appropriately qualified individual to be designated as a Data Protection Officer
– an obligation to maintain written records of all data processing activities
– an obligation to notify the Information Commissioner’s Office of any breaches of the GDPR’s obligations. The expectation is that notification will occur within 72 hours of a breach coming to light. If this timescale cannot be met, data controllers must provide a written expectation and notify without ‘undue delay’.
Businesses must also be aware of the greatly increased geographic scope of the GDPR. As is to be expected, it applies to all businesses established within the EU, but also to businesses that undertake ‘real and effective activity’ within the EU, even if they have no formal establishment there. This encompasses providers of goods and services alike, regardless of whether or not payment is taken.
It is likely that almost all businesses, including those that are fully compliant with the Data Protection Act 1998, will have significant gaps in their existing data protection systems. Now is the time to take action, to ensure those gaps are closed and that businesses are fully compliant with the requirements of the GDPR.