Earlier this year the European Union approved the General Data Protection Regulation ("GDPR") as a replacement for the current UK and EU data protection regime. This reform will affect every business and other organisation which operates in the UK, regardless of size or industry.
The GDPR will ensure that individuals’ personal data is better protected. However, in order to do so it will impose more onerous obligations on businesses together with harsher penalties (breaches of the GDPR can lead to fines of 20m Euros or 4% of global turnover).
This article, which is the first in a series by Freeths on the GDPR, will provide an introduction to the new law. We will briefly explain what the GDPR is, why it is being introduced, who it will affect, some of its general implications, the timetable and what (if any) impact a Brexit would have.
Finally, we will suggest a few simple steps your organisation can take to begin preparing for the GDPR
The rationale for introducing the GDPR
The purpose of the GDPR.
Who will the GDPR apply to?
What are the implications of the GDPR Fines.
Other changes the abolishment of the requirement that data controller notify (i.e. register with) the ICO of their data processing activities; a new requirement to notify the authorities within 72 hours (and, in some cases also promptly notify individual data subjects) of a data breach data subjects being able complain to any regulator – the ‘one stop shop’ (in reality the regulator of controller’s main establishment will likely remain in overall control); the establishment of a new European Data Protection Board which will supervise all the national data protection regulators; and better-defined rights for data subjects, including the right to have personal data erased or deleted (also known as “right to be forgotten”) and a clear right to withdraw consent to processing.
Timetable and Brexit What to do next guidance for businesses to help them ready themselves. However, fully complying with the current law is the best way to prepare for the GDPR. If you’re not sure whether or not your organisation has complied with all the requirements of the Data Protection Act 1998 then you should seek advice from a lawyer with expertise in data protection as, if you don’t know what the law is, there’s a good chance you may be in breach of it.
Once this has been done you will then need to ensure your business understands the proposed changes and has appropriate procedures and processes in place (for example, in relation to security, data retention, staff training, contract clauses, supply chain management).
Freeths can help businesses comply with the law and prepare for the GDPR in a variety of ways, from in-house data protection training and contract reviews through to drafting Model Clauses for transfers outside the EEA and data protection policies.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.