Updates & insights from our Corporate & Commercial team
GDPR: what you need to know
- AuthorJulia Seary
The General Data Protection Regulation (GDPR) is new legislation which will impact nearly all organisations across Europe from 25 May. The regulation has been introduced in order to strengthen current personal data privacy laws and put all European organisations on an equal footing in terms of compliance requirements. In a heavily data-driven world, the GDPR is an attempt to update the law to take account of the volume, variety and speed of personal data production and its global circulation.
For some years the European regulators (including the Information Commissioner's Office (ICO) in the UK) have been concerned about personal data privacy and security, and following the introduction of the GDPR the regulators will be able to demand an increased level of openness and transparency from organisations in relation to how personal data is controlled and used, with organisations being expected to demonstrate better personal data stewardship. It was felt by supervising authorities that individuals across Europe should be able to benefit from new and enhanced legal rights to know exactly what organisations are doing with their personal data and why and, in some circumstances, be able to request that such personal data is destroyed.
Although the key data protection principles are not changing, there are a number of changes in the way organisations need to operate. In addition to the increased transparency requirements in terms of what information organisations will need to give to individuals (both customers and employees) and individuals' new and enhanced rights, all organisations must be able to clearly demonstrate that they have taken compliance seriously and adopted a considered balanced approach to risks. There are new requirements to report data breaches, an obligation for some organisations to appoint a Data Protection Officer, and those organisations which simply process data on behalf of other third parties will have new direct regulatory liability to the supervising authority.
The GDPR was brought into law in April 2016 and so we are currently in an ‘implementation' or 'grace period’ with all organisations being expected to comply in full from 25 May. Despite the ambiguities of Brexit, the UK government has made it clear that the UK will adopt GDPR event after it leaves the EU; it is actually considered as potentially the global model for all future personal data protection regulation.
Organisations should be aware that non-compliance carries the potential of significant fines – a maximum fine of up to €20m or 4% of annual worldwide turnover (whichever greater). In addition, a failure to observe the new rules could lead to reputational damage with a loss of customer trust and confidence.
There has been a definite increase in interest from UK organisations during the past few months as we near the enforcement deadline. Non-compliance is not an option and all organisations should consider carrying out a full review of what personal data is held and why, and at the very least ensure that they have in place clear, up to date and accessible privacy policies for both customers and employees. It remains to be seen how the ICO will use their enforcement powers going forward but we can expect hefty fines for those who choose to ignore the law.