Around the time we were perspiring our way through the crowds getting last minute Christmas shopping and sipping on snowmen topped cinnamon lattes, the European Parliament and Council of the European Union were doing something entirely different. On 15th December 2015, the General Data Protection Regulation (to be implemented in 2018) was formally agreed for adoption in 2016. By way of explanation, the existing Data Protection Directive in the EU requires each member state to produce its own data protection rules (in the UK, this is in the form of the Data Protection Act 1998). The GDPR will therefore replace this - yikes.
The GDPR may not sound too menacing a threat, but for start-ups and SMEs aiming to grow their businesses and online presence, now is the time to start getting familiar with the GDPR and assessing if and what changes will be needed to ensure compliance in the not so long future.
Why all the fuss? In today's tech-reliant environment where data privacy protection is becoming increasingly complex, having robust procedures in place for data protection is more important than ever and should be front and centre of any small business’ agenda.
We’ve summarized some of the key draft provisions of the GDPR below for you (subject to Parliament’s revisions once published), although these are not by any means all of the draft provisions.
1. How much?
Right – this one’s a biggie. Currently, the maximum fine in the UK for breaches of data protection rules is £500,000. Under the GDPR, the proposed maximum fine could be up to 20 million euros or 4% of the company’s annual worldwide turnover (whichever is the greater). Ouch. For small businesses on the road to success, getting lumped with a fine for data protection violation may just stunt that growth.
The GDPR will also apply to non-EU businesses if they offer goods/services to EU individuals or if they process EU individuals’ data. In today’s digital era, where businesses strive to reach customers in multiple countries, the GDPR may mean that they need to revamp their data protection policies.
3. Data processors beware
A data processor is an individual or entity that carries out processing and storage of individuals’ (e.g. customers) data. Currently, in the event of a data protection breach, it is the data controller (i.e. person/entity that the data processor is acting for) that is liable. The GDPR however casts the liability net wider and data processors may be liable for fines of up to 5% of the company’s annual worldwide turnover. This is still under heavy debate, and we’re keen to see what the published provisions will look like.
4. I hereby consent
Although the precise terms are yet to be published, the GDPR is likely to make it harder for businesses to prove that individuals ‘consented’ to having their data processed and stored. For businesses relying heavily on internet traffic or mobile app sharing, this may be something that will need addressing earlier on at an operational level, for example, during the production stage of an app.
5. Policeman for all
Currently, the Information Commissioner’s Office (ICO) in the UK monitors, investigates and enforces alleged data protection breaches. Under the GDPR, there’ll be one single authority across the EU that deals with all data protection matters for all member states. Hmmm. We have our doubts about this one working practically; however, we’ll reserve judgment until we see the published text!
6. One Shoe Fits All
The GDPR will implement a single framework of data protection legislation that will apply to each EU member state. This fortunately provides businesses in the EU with a more consistent set of rules and will no doubt be a good thing. Hurrah, a big happy positive!
Have any questions on the upcoming GDPR or on existing data protection compliance under the Data Protection Act 1998? Get in touch and we’d be happy to chat through your concerns or queries!