The General Data Protection Regulation (GDPR) will come into
effect on 25 May 2018 and will be the most significant change to
the data protection regime in the EU for a generation.
Despite the Brexit vote, it is anticipated that the UK will, in
the short term at least, continue to implement the GDPR. Going
forward, the UK will be keen to enable trade with the EU and wish
to be considered an adequate jurisdiction for data protection, so
it is very likely that the UK will continue to maintain a law
similar to the GDPR in the longer term. In any event, if your
business has operations in other EU Member States, GDPR compliance
will be essential.
It is, therefore, important that UK businesses are aware of and
prepared for the upcoming changes. Below is a brief summary of some
of the concepts to be introduced by the GDPR:
HARMONISATION OF DATA PROTECTION REGIMES
The aim is to produce a single legal framework that will apply
across all EU member states. Businesses will be able to rely on a
consistent set of data protection compliance obligations in
different EU member states.
EXPANDED TERRITORIAL SCOPE
Unlike the position under the Data Protection Directive (DPD),
non-EU businesses with operations in the EU will be required to
comply with the GDPR. This means that many non-EU businesses that
were not previously required to comply with the DPD will be
required to comply with the GDPR.
INCREASED ENFORCEMENT POWERS
The potential fines that could be enforced against non-compliant
businesses will be increased considerably. Fines will be set on a
For breaches in relation to data
processor contracts, internal record keeping, data security and
breach notification, fines could be up to the greater of:
2% of annual worldwide turnover of
the preceding financial year; or
For breaches of the data protection
principles, conditions for consent, data subjects rights and
international data transfers, fines could be up to the greater
4% of annual worldwide turnover of
the preceding financial year; or
The GDPR adopts a risk-based approach to compliance. This means
that businesses will have to bear responsibility for self-assessing
the degree of risk that their processing activities pose to data
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).