With effect from May 25th 2018—in other words, less than a year away—your business is exposed to a new regulatory regime backed by hefty fines. And by ‘hefty’, we’re talking fines of the higher of either €20 million, or 4% of annual worldwide sales revenues.
The regulatory regime in question? The new EU-wide General Data Protection Regulation— the biggest change to data protection law for a generation—which imposes even stricter data protection requirements on businesses, and a far tougher penalty regime.
And don’t imagine that Brexit will remove the need for compliance. For one thing, the UK is not due to leave the EU until March 2019 (after the General Data Protection Regulation has come in force) and, for another, the government has indicated that it will adopt the General Data Protection Regulation.
In other words, the General Data Protection Regulation—and its tough new penalties for non-compliance—is coming. And businesses had better be prepared.
What does the Regulation call for?
For most businesses, the problem posed by the General Data Protection Regulation is that it is a radical departure from existing data protection requirements in two key areas.
First, it gives additional rights to individuals whose data is held by businesses. And second, it imposes a significant number of new obligations on businesses.
Which rights? What obligations? Essentially, these stem from the General Data Protection Regulation’s guiding principles:
* Individuals will have a ‘right to be forgotten’
* Individuals must have easier access to their own data
* Individuals may need to give explicit permission for their data to be processed
* Individuals may need to be told about data breaches
* Individuals will have the right to ask for their data in portable, electronic format
All of which, we would suggest, will certainly give pause to businesses accustomed to the established regime of the UK’s existing Data Protection Act.
A very different approach
What will it mean in practice? Much of the coverage that we have seen of the General Data Protection Regulation in the press, while not exactly wrong, seems to us to miss some important aspects of the General Data Protection Regulation.
Yes, if a breach of sensitive data occurs (or is suspected), then businesses must quickly notify all the individuals concerned. Yes, businesses will have to clamp down on the practice of personal data being held on theft-prone laptops and USB drives. And yes, businesses will need to make greater use of encryption.
But more fundamentally, many businesses will need to make significant changes to the way that they collect, record and handle personal data. And the impact of these changes will need to be understood right across the business, and in particular by those (in marketing, human resources, sales, and IT) whose role embraces dealing with personal data.
What’s more, from a legal point of view, a great many documents, statements and contracts will need to be re-drafted.
Privacy policies and statements, for instance, will have to set out—very specifically—how and why the business holds personal data, for how long, and how the business will implement new rights such as the ‘right to be forgotten’.
Should your business engage another business to handle individuals’ personal data on its behalf—whether for payroll purposes, market research purposes, or other purposes—then the relevant contract will need to be rewritten to make explicit reference to the requirements of the General Data Protection Regulation in areas such as businesses’ obligations in terms of confidentiality.
And many businesses will need to keep a register of all the personal data that they handle, together with details of why they hold it, for how long they intend to hold it, and with whom it will be shared.
What to do?
In short, there’s a lot to do—and the time available in which to do it is getting short. Put another way, a tough new regulatory regime, backed by hefty fines, is just months away from impacting your business.
There are decisions to make, policies to put in place, contracts to renegotiate, and employees to train and re-educate.
Here at The Legal Director, we can help—not least by providing legal advice on how best to approach General Data Protection Regulation compliance.