Following the UK Information Commissioner’s Office’s (ICO) recent publication of its guidance on the General Data Protection Regulations (“GDPR”) (https://dpreformdotorgdotuk.files.wordpress.com/2016/05/preparing-for-the-gdpr-12-steps.pdf), companies are already busy analyzing how the GDPR will affect their businesses and what changes they will need to implement in advance of the law coming in force in 2018.
The protection of personal (an individual’s) data in the UK is currently governed by the Data Protection Act 1998 (“DPA”). Bearing in mind the enormous technological advances since 1998, the DPA has struggled to be able to address legal risks and issues which have only developed in recent years. The GDPR is therefore an attempt by the European Parliament and Council of the European Union to both update the laws on data protection as well as harmonize data protection laws in all EU countries.
Most businesses are heavily tech-reliant: from those that standardize their data and mass market online, to those that operate self service delivery models, businesses collect, store and use more personal data than ever. And, in many cases, standard (non-personal) data will be combined with the personal data of its clients, suppliers, partners and investors. It is therefore more crucial for businesses to establish clear data protection policies and implement robust procedures to protect individuals’ personal data. The current maximum fine in the UK for breaches of data protection law stands at £500,000 – under the GDPR, this maximum fine will increased to 20 million Euros or 4% of the company’s annual word wide turnover (which is the greater) - violation of the GDPR is therefore not a risk that businesses should willingly take. Alongside this, data processors (the individual/company which collects, stores and processes personal data) will also face hefty penalties and liability alongside the data controller (the individual/company who the data processor collects, stores and processes the personal data for). And, to account for the fact that businesses now reach customers worldwide, the GDPR will also apply to non-EU businesses if they process EU individuals’ personal data.
Development of the GDPR is being actively monitored by businesses in an attempt to get an early start on what may result in huge overhauls to their business policies. Have you started reviewing your data protection policies yet?