The General Data Protection Regulation (GDPR) is a regulation introduced by the European Union (Regulation 2016/679) on 8 April 2016. It will be automatically incorporated into UK legislation from 25 May 2018. The decision for the UK to leave the European Union will not affect the implementation of this regulation into domestic law.
Due to businesses increasingly operating across borders [and the development of the digital economy], the aim of GDPR is to create consistency and harmonization across the EU Member States when data protection is concerned. When implemented, the GDPR will affect how personal data [broadly speaking, data allowing an individual to be identified] and sensitive data [which includes data relating to racial or ethnic origin, political opinions, religious beliefs and physical or mental health condition] is processed.
The GDPR applies to data controllers [any person who decides how and why such data is processed] and data processors [any person who processes data on behalf of the data controller]. Whilst both the ‘data controllers’ and the ‘data processors’ are subject to the GDPR, the specific legal obligations of the GDPR are with the ‘data processor’. The effects of the GDPR include, but are not limited to, placing accountability obligations on the data controllers to demonstrate that they have complied with the GDPR obligations. This includes the obligation to maintain data protection documentation, conduct data protection impact assessments and [in certain circumstances] appointing a Data Protection Officer (DPO). In addition to this, the GDPR will introduce additional requirements for obtaining ‘consent’ from an individual prior to their data being stored and processed.
Where businesses breach the increased obligations provided within the GDPR, the GDPR establishes a ‘tiered approach’ to the applicable fines. Subject to the extent of the breach, the fine imposed could be either 4% of the annual turnover or €20,000,000.00 [20 million euros] whichever is the higher. Businesses can prepare for the implementation of the GDPR by [amongst other processes] putting clear policies and well-practised procedures in place to ensure they can react quickly to data breaches, establish a framework of accountability, analyse the legal basis on which the personal data is being used and check your privacy notices and policies.
EHL Commercial Law have a dedicated Corporate and Commercial team who can advise further on the impact of the GDPR. This can include any preparation and review [if required] of existing data notices and policies on a fixed fee basis.
Should you have any queries, please contact a member of the Corporate and Commercial team on 0330 024 9643.
The information provided in all of our blogs reflects only a narrative of some elements to consider on the topic. The blogs do not contain considered legal advice and should not be relied upon as advice. Please see our website terms and conditions for full details of our disclaimer. If you are interested in obtaining advice, please contact one of our lawyers who will be happy and able to advise you on your own particular circumstances.