The GDPR will be effective from 25 May 2018.
What is it?
GDPR represents perhaps the most dramatic overhaul of data protection law since 1998.
The main aim of GDPR is to give control back to citizens in relation to their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It also strengthens the penalties that can be imposed on offenders (see below).
Does it affect my business?
If your business controls, processes, stores or transmits personal data belonging to EU residents, then yes, your business will certainly be required to comply with GDPR.
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”
What are the key changes from previous data protection rules?
GDPR introduces a number of changes, which include (amongst other things)
- An increase to the territorial scope of EU data protection law;
- Express and explicit opt in consent to be secured by the Controller;
- Enhanced notification requirements;
- Enhanced rights to compensation;
- Additional obligations and liabilities for data controllers and data processors;
- Greater powers for organisations such as the Information Commissioners Office (ICO) to apply fines for non-compliance.
- The right to be forgotten.
- Stronger accountability for controllers and processors.
More organisations will now be subject to European data protection regulation than before.
Is this just more red tape?
Of course these changes do require businesses to take time to digest the implications of GDPR and put new procedures in place.
However – on a more positive note – it also provides your business with an ideal opportunity to take a good look at the systems that you currently have in place, as well as the level of data that you collect. You should then consider whether the level of personal data that you collect is even really necessary. You might be surprised by the results. If it is necessary, then you may consider whether any of the data can be anonymised in order to mitigate risks.
What is the danger of failing to comply?
GDPR has attracted media interest because of the increased administrative fines for non-compliance.
The administrative fines are discretionary rather than mandatory and must be imposed on a case-by-case basis. Moreover, they must be “effective, proportionate and dissuasive”.
There are two tiers of administrative fines that can be levied:
- 1) Up to €10 million, or 2% annual global turnover – whichever is higher.
- 2) Up to €20 million, or 4% annual global turnover – whichever is higher.
Areas of focus may include:
- Assigning a director/manager with accountability for GDPR (Data Protection Officer);
- Briefing management on GDPR risks and development. External consultants can assist here and are not always as expensive as you might think;
- Ensure that your policies and procedures are up-to-date and compliant;
- Develop training and audit programmes;
- Involve everyone – A GDPR compliance programme needs to be a collaborative across the business.
With the possibility of high fines your business needs to focus on GDPR and become compliant ready.
If you take the time to analyse the shortfall between present procedures and the requirements of the GDPR in order to achieve compliance then you will be fine.
Steven Davies is Associate Solicitor at Guy Williams Layton LLP.
For more information please telephone him today on 0151 236 7171. Or send him an email: firstname.lastname@example.org.
Michael Sandys is a Partner at Guy Williams Layton LLP.
For more information please telephone him today on 0151 236 7171. Or send him an email: email@example.com.