Today is the day: the General Data Protection Regulation (“GDPR”) is now in force!
For more than 4 years now, the topic on the mind of many a privacy lawyer has been the GDPR, which is without a doubt the most fundamental development in data protection and privacy since the existing Data Protection Act 1998 was implemented. After numerous debates, drafts and redrafts at EU level, the text of the GDPR was eventually agreed by the Council of the European Union on 12 February 2016, with it being voted on by the European Parliament’s Civil Liberties Committee and the Parliamentary Plenary on 12 April 2016 and 14 April 2016 respectively.
On 4 May 2016 the GDPR was published in the Official Journal of the European Union, which started the 20 day countdown until the GDPR comes into force. This means that the GDPR comes into force today (25 May 2016). Before panic overwhelms companies too much, there is of course the 2 year implementation period, which means that the GDPR will not actually be applicable within the UK until 25 May 2018.
That said, there is so much for companies to do that we strongly recommend companies (if they have not already) start considering now how they are going to ensure compliance with the GDPR from 25 May 2018. As readers of previous editions of this newsletter will be aware, the reforms from the GDPR are wide ranging and include (by way of brief summary only):
• a requirement for data controllers to notify breaches to the Information Commissioner’s Office (“ICO”) without undue delay and, where feasible within 72 hours (data subjects sometimes also need to be notified);
• an obligation on data controllers to undertake data protection impact assessments for certain data processing activities;
• placing direct obligations on data processors, such as in relation to implementing technical and organisational measures to protect personal data;
• requiring some data controllers and data processors to appoint data protection officers;
• introducing the new ‘right to be forgotten’; and
• creating a robust approach for the levying of penalties for breaches of the GDPR, with fines for certain infringements being up to 4% of a company’s annual worldwide turnover.
So, what do companies need to do now?
We have a number of clients who have already begun the process of GDPR compliance and the fundamental steps to take are:
• understand what the GDPR requires of your company;
• work out how far your company currently complies with the requirements of the GDPR; data protection audits can be an excellent tool to assess how your company currently uses data and what level of compliance is achieved at the moment;
• understand the areas where your company is not compliant with the requirements of the GDPR;
• highlight the absolute key areas where your company needs to achieve compliance urgently, and then rank the rest in level of importance; and
• implement the changes that your company needs to make.
2 years is a short time in which to achieve compliance with the GDPR, but one argument that has been made is that we should wait to see the result of the Brexit campaign before addressing GDPR compliance in anger. However, the ICO has issued a statement that, regardless of whether or not the UK remains part of the EU, the “UK will continue to need clear and effective data protection laws”. Our view is that there is virtually no possibility, given the amount of time and effort that has been invested in the GDPR, of the UK implementing a data protection regime different to the GDPR, should a Brexit occur.