Despite Brexit, the UK Government has confirmed that it intends to implement the General Data Protection Regulation (GDPR) in May 2018. This means that, despite rumours to the contrary, the original time frame remains unchanged.
The GDPR replaces the UK Data Protection Act 1998 which implemented the EU Data Protection Directive. The GDPR aims to harmonise data protection rules across the EU to assist compliance for non-EU companies. Their focus is on protecting the consumer.
The UK’s data protection regulator/Information Commissioner, Elizabeth Denham, has expressed her support for the UK Government’s clarification on the basis that it will give “people greater control over their data”. The Information Commissioner’s office has announced that it will provide further guidance in the coming months.
In the meantime, organisations should start preparing for the risk based approach to compliance adopted by the GDPR, under which businesses bear responsibility for assessing the degree of risk that their processing activities pose. Organisations should consider the Information Commissioner’s 12 step guide — click here to read.
Significant changes are afoot which will impact businesses. The most notable changes are:
- The GDPR will extend to data controllers outside the EU if they offer goods or services in the EU or monitor EU citizens’ data behaviour that takes place in the EU.
- A two tier penalty system will be introduced starting from 2% and increasing to 4% of annual world wide turnover. Therefore, non compliance with EU data protection law could be very expensive.
- Businesses will be required to maintain detailed documentation recording their processing activities. Organisations will therefore need to review their compliance programmes carefully and ensure that they are up to date.
- The appointment of a data protection officer will be mandatory for organisations employing more than 250 people or processing personal data relating to 5,000 or more data subjects.
The GDPR sets a very high standard of consent for an individual’s agreement to their personal data being processed. Such consent will need to be freely given, specific, informed and unambiguous. Therefore businesses that have relied on implied consent in the past will need to review their practices to ensure that any consent involves clear affirmative action.
It is possible that the UK’s data protection laws will change post Brexit but such changes are unlikely to be a priority for the UK government. We anticipate that the GDPR will remain in place for many years after 2018.
For more information or to discuss any of the issues raised, please get in touch.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.