New rules on data protection will be coming into force in May 2018 but businesses which have not yet taken steps to review the new rules on data protection should start preparing now.
The General Data Protection Regulation (GDPR) was adopted in 2016 and will come into force in May 2018.
The GDPR will automatically apply in all EU member states. Brexit is not likely to change the application of the new rules, but the government have indicated that the GDPR will be implemented in the UK and in any event most commentators think the GDPR is likely to continue in force post-Brexit. Acceptance of European rules on data privacy is likely to be a pre-condition of allowing cross-border data flows between the UK and the remaining EU countries.
As a business, what should you be aware of?
Much of the core framework of current data protection regulations will remain in place; however there are a number of changes which businesses and organisations should be aware of. Some of the main changes include:
- the GDPR will apply to anyone who is processing the data of an EU citizen, wherever the person processing the data is based
- the GDPR will apply to wider categories of data – even if the data is anonymous and does not name an individual it may still count as personal data if an individual can be identified using the data held together with any means ‘reasonably likely to be used’
- data processors who are processing data on behalf of another organisation which ‘owns’ the data, will be potentially liable to data subjects, currently only data controllers are subject to such liability
- the penalties for data protection non-compliance are going to become substantially more onerous – including a potential fine of up to 4% of global turnover
- where consent is being relied on to process personal data the standard for consent is changing. The GDPR will require that consent is ‘freely given, specific, informed and unambiguous’ - passive consent will not count
- there are new rights to require that personal data is deleted – formalising the so-called ‘right to be forgotten’
- data subjects will have new powers to ask data controllers how they are processing the data subject’s data. Currently the data subject only has a right to ask how data is used, not just what that data is.
- there are enhanced data portability rights which require businesses to provide copies of data to subjects in a usable format
- some organisations will need to appoint a data protection officer (DPO) who is responsible for the organisation’s data processing activities
- where a data breach occurs there is a new requirement to notify both authorities and the affected individuals
The GDPR will create additional rights for data subjects and imposes greater obligations and compliance risks on businesses which process personal data (i.e. practically every business). As such, we recommend that businesses review data policies and practices well in advance of May 2018.