The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will be the most significant change to the data protection regime in the EU for a generation.
Despite the Brexit vote, it is anticipated that the UK will, in the short term at least, continue to implement the GDPR. Going forward, the UK will be keen to enable trade with the EU and wish to be considered an adequate jurisdiction for data protection, so it is very likely that the UK will continue to maintain a law similar to the GDPR in the longer term. In any event, if your business has operations in other EU Member States, GDPR compliance will be essential.
It is, therefore, important that UK businesses are aware of and prepared for the upcoming changes. Below is a brief summary of some of the concepts to be introduced by the GDPR:
Harmonisation of data protection regimes
The aim is to produce a single legal framework that will apply across all EU member states. Businesses will be able to rely on a consistent set of data protection compliance obligations in different EU member states.
Expanded territorial scope
Unlike the position under the Data Protection Directive (DPD), non-EU businesses with operations in the EU will be required to comply with the GDPR. This means that many non-EU businesses that were not previously required to comply with the DPD will be required to comply with the GDPR.
Increased enforcement powers
The potential fines that could be enforced against non-compliant businesses will be increased considerably. Fines will be set on a two-tier basis:
- For breaches in relation to data processor contracts, internal record keeping, data security and breach notification, fines could be up to the greater of:
- 2% of annual worldwide turnover of the preceding financial year; or
- €10million; and
- For breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers, fines could be up to the greater of:
- 4% of annual worldwide turnover of the preceding financial year; or
- €20million.
Risk-based compliance
The GDPR adopts a risk-based approach to compliance. This means that businesses will have to bear responsibility for self-assessing the degree of risk that their processing activities pose to data subjects
Our Corporate Services always keep a close eye on matters that could affect your business so that we can give clear and sound advice on how best to safeguard your commercial interests. If you require assistance in relation to upcoming data protection legislation or any company or commercial matters, please contact us.