The GDPR will be applicable in all EU member states from 25 May 2018.
The Government has decided that it will not repeal this law upon Brexit.
What are the main changes?
The GDPR imposes a much stricter regime, with the new measures including:
- Expanded reach – the GDPR catches data controllers and processors outside the EU in relation to EU data subjects. Businesses may need to appoint an EU representative.
- Direct obligations will be imposed for data processors – for example to implement organisational measures.
- Tiered approach to penalties – companies can be fined up to 4% of annual worldwide turnover or €20,000,000 for some breaches. This is 40x higher than the current regime.
- New “European Data Protection Board” – for guidance, to replace Article 29 Working Party.
What are the main requirements?
Some of these requirements are already in place. Businesses will need to consider:
- Onerous obligations on data controllers – this can include demonstrating compliance, conducting impact assessments, implementation into systems.
- Consent – data controllers need to demonstrate it was given by data subjects (freely, specifically, unambiguously and that consent is informed).
- Duties to notify breaches – to data protection authorities and affected data subjects.
- Requirement to have a Data Protection Officer – in certain circumstances.
- Right to be forgotten – this will apply to some individuals.
Businesses need to:
- Prepare for data security breaches – for example by developing policies and rehearsing procedures for notification.
- Establish a framework for accountability – policies and cultures designed to minimise risk, using impact assessments.
- Privacy by design – embed privacy principles in all new processing and/or products.
- Analyse the legal basis of personal data use – what data processing does the business undertake and what will it need to demonstrate?
- Check privacy notices and policies – these should be transparent and easily accessible.
- Bear in mind the rights of data subjects – how do these compete with the business’s legitimate interests and what happens if an individual tries to exercise them?
- Suppliers should consider whether they have new obligations as a processor.
- Cross-border data transfers – given increased fines, businesses should review grounds for transferring personal data to jurisdictions without adequate data protection regulation.
If you would like to speak to someone at Druces LLP about what the GDPR could mean for you and your business please contact Chris Evans or Charles Avens.