The legal bit…
In order to protect all EU citizens from privacy and data breaches the General Data Protection Regulation (‘GDPR’) was approved by the EU Parliament on 14 April 2016. The EU GDPR replaces the Data Protection Directive 95/46/EC and is perceived as the “most important change in data privacy regulation in 20 years”. Initially, because of the number of derogations in the GDPR, it was unclear if it was a Regulation or a Directive, which led the UK Government to call for views on possible UK Derogations on 12 April 2017. However, as mentioned by the EU GDPR website, the GDPR is a regulation and not a directive, and as a regulation, “it will become immediately enforceable law in all member states”. All organisations must be compliant by 25 May 2018 (enforcement date) or they will risk heavy fines.
Brexit & GDPR – good news or bad news for the UK?
As mentioned by The Secretary of State for Culture, Media and Sport, Karen Bradley MP, the UK will have to apply the GPDR in May 2018. She confirmed on Monday 24 October 2016: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
In the Information Commissioner’s Office blog, Elizabeth Denham, UK Information Commissioner, commented: “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.”
Therefore, the UK will have no other choice than getting ready and complying with the GDPR by May 2018.
Why is it happening…?
Today’s rapidly changing data landscape has led to a need for an update of the data regulatory environment of the EU, as we are indeed creating more personal data than ever before and the processing of that data is worldwide. The GDPR has a primary goal to update the regulations to fit today’s innovations while protecting the “fundamental rights of individuals”. We can outline the GDPR’s main aims here:
- Harmonize data privacy laws across Europe;
- Accountability-based compliance framework for data protection in Europe;
- Protect and empower all EU citizens’ data privacy; and
- Reshape the way organisations across the region approach data privacy.
What you should do next…
Although the GDPR’s aims are well defined, preparing for its enforcement in May 2018 is more complex. To this end, the UK Information Commissioner’s Office (‘ICO’) has created a self-assessment tool kit “Getting Ready for the GDPR”, which will give organisations a better idea of the areas to be worked on.
What are the challenges…?
The intricacy of the implementation also stems from the fact that depending on the type of business, sector, location (i.e. if the organisation operates in more than one EU member state), sensitivity of the data processed (i.e. information related to a child, criminal records, or physical or health condition) different measures will need to be taken.
A proposed guideline could be seen as follow based on ICO’s guidance:
- Build awareness: If you are already complying with the Data Protection Act’s (‘DPA’) main concepts and principles it’s a good starting point to build your new approach to the GDPR. Ensure that the key people and decision makers are aware about the new elements and significant changes.
- Use the ICO’s Checklist: this 12-step checklist will help to understand the “main differences between the current law and the GDPR”.
- Plan your approach: the GDPR might (but only might) lead to significant budgetary, IT, personnel, governance and communications implications.
- Demonstrate accountability: this will be the role of the Data Controller, with the eventual help of the Data Protection Officer (to be appointed under GDPR Article 37 (1) in 3 specific cases), to demonstrate the documentation of that data and in which manner it is to be, processed.
- Map out the impact on your business model: some parts of the GDPR will impact your business more than others. It’s essential for the longevity of your business to work on the areas the most affected.
- Prioritise: After assessing the impact of the GDPR on your business, give extra attention to the areas identified.
- Keep your knowledge up to date: visit the ICO’s website for general guidance and advice, as they are working closely with trade associations and representing bodies in various sectors.
Not complying with the GDPR will potentially put your business longevity at risk and the fines for breaches will be much higher under the new regulation. The ICO will take into account the nature of the contravention, the effect of the contravention, behavioural issues (i.e. process in place to avoid the contravention), impact on the Data Controller or Person and other considerations such as any factors relevant to the determination of the amount of the monetary penalty.
- Minor breaches: up to €10m or 2% of worldwide annual turnover (based on the preceding financial year).
- Major breaches: up to €20m or 4% of worldwide annual turnover.
In addition, a notifiable breach (“where it is likely to result in a risk to the rights and freedoms of individuals”) must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.