Data protection is a phrase that can send a shudder through even the most proactive HR and business teams. The legislation is complex and its reach extensive. Now, with the General Data Protection Regulation ((EU) 2016/679) (the GDPR) hoving into view, UK businesses need to ensure that their systems and processes are compliant with the new regime. This is essential given that the GDPR is an EU regulation and, as such, does not require any implementing national legislation. Consequently, it will have immediate effect on the day it comes into force: 25 May 2018.
What happens to existing data protection legislation?
The GDPR will repeal the Data Protection Directive (95/46/EC) (the directive). This, in turn, will have the effect of repealing the UK’s Data Protection Act 1998, which implemented the directive into national law.
What are the main effects of the GDPR?
- New accountability obligations affecting both data controllers and data processors. These include a requirement to appoint a Data Protection Officer, who must be someone with appropriate specialist knowledge.
- An expanded territorial reach. This extends data protection obligations beyond businesses established in the EU to those that undertake “real and effective” activity there without the need for any formal establishment. Consequently, any business that offers goods or service to individuals located within the EU or monitors the behaviour of data subjects will be caught within the GDPR if, as is almost inevitable, their activities involve data processing.
- An obligation to maintain written records of all data processing activities conducted within an organisation.
- An obligation to notify any breaches to the Data Processing Authority. The expectation is that this will happen within 72 hours of knowledge of the breach. If this timescale is not met, the data controller must provide a reasoned explanation. In any event, notification must happen without “undue delay”.
What are the penalties for breaching the GDPR?
National data protection authorities are responsible for enforcing the GDPR and levying any penalties. In the UK, the relevant authority is the Information Commissioner’s Office. For infringements relating to data processing principles or international transfers, it will have the power to impose a maximum fine of the higher of Euro 20 million or 4% of annual worldwide turnover. Other infringements may attract a maximum fine of Euro 10 million or 2% of annual worldwide turnover. These are significant sums for any business’ accounting books. As if to underline the potential for some serious financial shocks, it is estimated that the fines issued in the UK during the last financial year would have been 79 times higher had they been issued in accordance with the GDPR’s provisions. Businesses hoping that the Information Commissioner’s Office will exercise discretion in determining fines must think again. National data protection authorities have a very limited scope to exercise any discretion, thanks to a list of aggravating features, including the duration, nature and gravity of an infringement, which must be taken into account when levying fines.
What about the “Brexit effect”?
It is understandable if businesses hope that a looming Brexit might alter the picture somewhat. However, the UK currently remains an EU member state. As such, the GDPR will apply to the UK just as it does to all other EU member states. The position after any Brexit is slightly less clear. Although Brexit would give the UK a theoretical power to amend or repeal the provisions of the GDPR, any such remodelling is unlikely to happen, at least to any great degree. If the UK’s legislative landscape did not stay GDPR-compliant, further obstructions would be placed in the way of UK businesses offering goods and services to EU countries at what is likely to be an already extremely challenging time.
How can businesses get up to speed on the GDPR?
The Information Commissioner’s Office has produced guidance aimed at helping affected organisations understand the thrust of the changes and identify any gaps in their existing data protection regime. At this relatively late stage of affairs, it may also be worth seeking specialist advice.
Article supplied by Prosperity Law