- The EU’s new data protection reforms become applicable on 25th May 2018.
- GDPR (General Data Protection Regulation) is an EU regulation applicable in the UK without the need for domestic UK legislation (and so will apply between May 2018 and any departure from the EU).
- GDPR will automatically fall away in the event that the UK leaves the EU – unless, and to the extent that, the UK adopts domestic legislation to retain GDPR.
- Current UK government announcements support such retention.
- Organisations that trade in the EU, whether based there or not, must comply with these rules in regards to processing the data of their EU customers.
Data protection reform will take place through two major instruments:
- The General Data Protection Regulation (GDPR); and
- The Data Protection Directive.
A company that fails to comply with the new rules by the effective date may be subject to a fine of up to €20 million, or 4 per cent of the company’s global annual turnover.
The GDPR enables individuals to better control their personal data, regardless of where this data is sent, stored or processed.
The GDPR has four provisions which provide:
- Individuals with more access to their own data—individuals will have more information on how their data is processed (this information must be provided in a clear and understandable way);
- A right to data portability—by making it easier for individuals to transmit their personal data between service providers;
- A ‘right to be forgotten’—individuals have a right to have their personal data erased if there is no legitimate ground for retaining the data; and
- Individuals with the right to know when their information has been hacked—by creating an obligation for those who gather, store or process personal data to notify their respective national supervisory authority of any data breaches that put them at risk (notifications should be given as soon as possible so that affected individuals can take appropriate measures).
Data Protection Directive
The Data Protection Directive applies to the police and criminal justice sectors. The directive was adopted to protect the personal data of victims, witnesses and suspects in a criminal investigation or law enforcement action.
The directive also facilitates the sharing of information and cross-border cooperation to combat crime and terrorism.
Impact on Businesses
The reforms create a more efficient business environment by cutting red tape and reducing the costs many businesses must endure if they process personal data across borders. Businesses may be able to capitalise on simpler, clearer and more unified standards as they restore or maintain consumer trust.
The reforms also make new data protection standards extraterritorial by requiring all businesses to comply while they do business in an EU member state. This ensures that all players within the EU are bound by the same rules, regardless of where they are established.
In addition, the rules streamline data safety by creating one central, single supervisory authority in each member state. It also promotes a risk-based approach to compliance requirements, recognising that businesses should have different obligations and operate under standards that more accurately represent the particular risk associated with their data processing.
Finally, the new rules call for data processors to implement data protection safeguards from the early stages of product and service development to ensure that data protection becomes the norm—by design and by default. This includes appointing a data protection officer (DPO) responsible for data protection compliance. Organisations must appoint a DPO if they are a public authority, they carry out large-scale systematic monitoring of individuals, or if they carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
Impact on Small and Medium Enterprises
The new rules also level the playing field for SMEs by requiring them to:
- Appoint DPOs only when the SMEs’ core activities require regular and systematic monitoring, or if they process special categories of personal data (for example, data that reveals racial origin or religious belief);
- Keep processing records only if processing is not occasional or is likely to put rights and freedoms at risk; and
- Report data breaches to individuals only if the breaches place their rights and freedoms at high risk.
For a more detailed overview of your responsibilities as a business under the GDPR, please consult the ICO’s guide for organisations located here