It has now been expressly confirmed that the UK is to opt into the EU General Data Protection Regulation (GDPR) – after much debate and uncertainty. In any event, the GDPR will automatically be binding in the UK when it comes into force in May 2018 as the UK will still be a member of the EU, at that point in time.
Under the GDPR, all EU member countries will be required to implement a strict data protection regime. This, of course, includes the UK for the foreseeable future. This is of critical importance to businesses who could face potentially significant fines (of €20 million or 4% of worldwide turnover if greater) if they breach the GDPR.
All organisations who undertake business in the EU – even those geographically located outside of the EU – will be legally required to comply with the provision of the GDPR. The provisions include tighter limits on the processing of personal data: business organisations must, for instance, be able to delete data quickly so that they can comply with the ‘right to be forgotten’.
There will be far more stringent requirements as to consent: organisations must obtain an ‘opt-in’ consent to data collection and sharing by third parties. In addition, GDPR requires that consent must be provable – so organisations must keep a record of its opted-in subscribers to avoid potential penalties.
Individuals themselves will have greater rights including the right to be informed; rights of access; rights of rectification; and the right to restrict processing. There are additional requirements when the request for erasure relates to children’s personal data. These rights mean organisations will be required to remove data from all storage devices (as well as servers, the cloud, etc) - which could prove costly.
The Information Commissioner has made clear that the ICO is committed to “assisting businesses and public bodies to prepare to meet the requirements of GDPR ahead of May 2018 and beyond”. Business organisations will find useful the ICO’s guide for businesses on preparing for the GDPR.
What will happen on Brexit?
If and when Brexit finally takes place, the UK will no longer be automatically subject to EU legislation. Whilst in theory, this means UK-resident businesses will no longer be bound by the GDPR itself (except where they undertake business in the EU) – the likelihood is similar domestic legislation will be introduced to plug the potential vacuum.
In any event, UK businesses must get to grips with the impending GDPR and prepare now to ensure they can comply with their responsibilities when it comes into effect and avoid potentially hefty penalties. Reviewing your existing processes and policies in light of the requirements of the GDPR is therefore critical.
How can we help?
Our experienced commercial solicitors will advise you on all your obligations under the GDPR and the UK’s existing data protection law, and help you prepare to comply with the greater burden of responsibility when the GDPR comes into force. Contact the experienced commercial solicitors at Herrington Carmichael for specialist advice as soon as possible.
Please contact Matthew Lea on 01189 898155 Mark Chapman on 01276 686222.
This publication reflects the law at the date of publication and is written as a general guide only - it is not intended to contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.