Leading law firm Roythornes has announced that its Charity of The Year will be St Barnabas...
The General Data Protection Regulation (GDPR) is new legislation which now impacts nearly all organisations across Europe since its implementation in 2018. The regulation has been introduced in order to strengthen current personal data privacy laws and put all European organisations on an equal footing in terms of compliance requirements. In a heavily data-driven world, the GDPR is an attempt to update the law to take account of the volume, variety and speed of personal data production and its global circulation.
For some years the European regulators (including the Information Commissioner's Office (ICO) in the UK) have been concerned about personal data privacy and security, and following the introduction of the GDPR the regulators now demand an increased level of openness and transparency from organisations in relation to how personal data is controlled and used, with organisations being expected to demonstrate better personal data stewardship. It is felt by supervising authorities that individuals across Europe can benefit from the new and enhanced legal rights to know exactly what organisations are doing with their personal data and why and, in some circumstances, be able to request that such personal data is destroyed.
Although the key data protection principles have not changed, there are a number of changes in the way organisations need to operate. In addition to the increased transparency requirements in terms of what information organisations will need to give to individuals (both customers and employees) and individuals' new and enhanced rights, all organisations must be able to clearly demonstrate that they have taken compliance seriously and adopted a considered balanced approach to risks. There are new requirements to report data breaches, an obligation for some organisations to appoint a Data Protection Officer, and those organisations which simply process data on behalf of other third parties will have new direct regulatory liability to the supervising authority.
The GDPR was brought into law in April 2016 and all organisations were expected to comply fully by May 2018. Despite the ambiguities of Brexit, the UK government has made it clear that the UK will adopt GDPR event after it leaves the EU; it is actually considered as potentially the global model for all future personal data protection regulation.
Organisations should be aware that non-compliance carries the potential of significant fines – a maximum fine of up to €20m or 4% of annual worldwide turnover (whichever greater). In addition, a failure to observe the new rules could lead to reputational damage with a loss of customer trust and confidence.
Non-compliance is not an option and all organisations should consider carrying out a full review of what personal data is held and why, and at the very least ensure that they have in place clear, up to date and accessible privacy policies for both customers and employees. It remains to be seen how the ICO will use their enforcement powers going forward but we can expect hefty fines for those who choose to ignore the law.