New Data Protection Regulation is upon us
Following three years of preparation and lobbying, the European Parliament has finally adopted the new European General Data Protection Regulation (GDPR) – which means big changes to data protection as we know it in the UK.
The GDPR will officially replace the basis behind the UK’s much cited Data Protection Act 1998 and will become law in all EU member states. The GDPR’s reach will be wider too, as it will affect any businesses who process the personal data of EU citizens, even if they are based outside of the EU.
The document lays out compliance measures for each state to meet before it takes over for good in the summer of 2018, and countries may escape any penalties, providing they can show that they have started preparing for the new measures.
The new legislation will still be adopted in Britain even if it decides to leave the EU in the forthcoming ‘Brexit’ referendum.
Summary of Changes
- One of the biggest changes announced relates to data responsibility. Previously, most data protection obligations fell upon Data Controllers as opposed to Data Processors. But under the GDPR, both Controllers and Processors will be responsible for protecting their data.
- All organisations will be obligated to have a full and firm understanding of what data they acquire, hold and process – and the legal basis for that data.
- Data protection measures must be integrated into business processes, in order to respect the rights of data subjects.
- Most organisations will have to appoint a data protection officer, particularly those which process large amounts of sensitive personal data.
- Additionally, the GDPR introduces a new obligation to notify data breaches to the relevant authorities within 72 hours of their first discovery.
- Non-compliance fines for failures to report breaches will be tiered – with the top tier fine demanding a staggering 4 per cent of global annual turnover from late-reporting firms.
What can organisations do to prepare?
Firms will need to step up their privacy and reform their policies and procedures for handling security breaches. These measures will need to be implemented before the implementation date.
Organisations may also wish to consider appointing a data protection officer, and assess how and for what purpose they currently hold and/or process data. It may also be worth starting to review and update existing contracts in respect of parties’ data protection obligations.
For further information on GDPR or contractual matters, please contact Rina Sond.
Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.