The General Data Protection Regulation (GDPR) takes effect on 25th May, 2018. When its provisions become binding law, the GDPR will escalate data protection to corporate board level topic, thanks to its heavy penalties (up to 4 percent of worldwide annual turnover, or €20,000,000, whichever is greater) and its stringent compliance requirements. James Castro-Edwards, Partner and Head of Data Protection Law at Wedlake Bell LLP.
The GDPR included a two year ‘sunrise’ period, to enable organisations to be compliant as soon as its provisions take effect. However, because of confusion around the European referendum, many organisations are not prepared. Despite Brexit, the government and the UK data protection authority (the Information Commissioner’s Office, or ‘ICO’) have both indicated that the GDPR will become law in the UK.
The GDPR will replace the Data Protection Act 1998 (‘DPA’) in the UK, and the European Data Protection Directive (‘Directive’), from which it originates. The GDPR is three times the length of the Directive, and significantly more prescriptive, imposing detailed obligations on organisations. It aims to set the ‘gold standard’ for data protection law; ambitiously, the European Commission has indicated an intention to export the GDPR as a basis for data protection laws around the world.
The GDPR includes the concepts and principles of the Directive and the DPA, though introduces a number of new obligations. It also applies to a wider range of organisations, including those established entirely outside the EU, but doing business with citizens in Europe. The GDPR introduces the accountability principle, which means that organisations must not only comply with its provisions, but be able to demonstrate that they do so by way of policies, processes and procedures. As a result, an organisation that has not lost or compromised personal data still risks enforcement action if it cannot demonstrate that it has addressed the requirements of the law. Where an organisation does suffer a data breach, it must report it to the data protection authority within 72 hours, and promptly notify the affected individuals if the breach is likely to cause them harm.
Other significant changes the GDPR introduces are its rules around consent (which will effectively render most employees’ consent invalid) and the requirement for some types of organisation to appoint a Data Protection Officer, or DPO, who must be an expert in data protection law and practices.
The GDPR applies to any operator in the private, public and third sector that holds information about its employees, customers or suppliers. Organisations must have a thorough understanding of the personal data they hold, and exactly how they use it. This may sound simple, but many organisations hold ‘forgotten’ databases of individuals’ details they have acquired through corporate acquisitions, or that reside in legacy systems. This is often where data breaches occur, propelling businesses into the headlines and onto the radar of the ICO. HR departments pose a particular risk, as they typically hold large volumes of often sensitive personal data about employees.
Having identified the personal data they hold, organisations must ensure each item of personal data is used in compliance with the principles of the GDPR. Compliance with the DPA is a good starting point, but businesses, public authorities and charities will also need to accommodate the changes the GDPR introduces, such as conducting a data protection impact assessment prior to embarking on any new data handling practice that presents a high risk to individuals, and having a procedure in place to deal with ‘right to be forgotten’ requests from employees, customers or suppliers.
Data protection authorities in the UK and Europe will expect organisations to be compliant with the GDPR on 25th May, 2018, when it comes into force. There is no further grace period. Any business, public body or charity that is not compliant risks fines, reputational damage and compensation claims from individuals whose personal data has been misused. Data protection is no longer a compliance issue that can be ‘put on the back burner’; organisations must act now. With heavy penalties for non-compliance less than 12 months away, organisations in the public, private and third sectors that are not preparing already must address the GDPR as an urgent priority.