Currently, in the UK, businesses operate under the Data Protection Act 1998 (which implemented the EU Data Protection Directive 95/46/EC), a framework that was established at a time when people had less of an online presence, before the loyalty card was prevalent in the retail industry and when people were often still managing their data in a very manual way. As we turned digital, there was a radical shift in the volume, variety and the speed data was being produced. Discussions have been ongoing in the EU for many years about the implementation of a new data protection regime to address these changes.
Towards the end of 2015 the European Parliament and the Council gave informal political approval of the General Data Protection Regulation (GDPR) and formally adopted it in April 2016. The GDPR was published in the Official Journal on the 4th May 2016, and it is due to enter into force on the 24th May 2016. Once law, there will be a 2 year implementation period before the GDPR comes into effect, and businesses will need to comply with its provisions from 25th May 2018.
The GDPR focuses heavily on protecting individuals and their data. This has also been intentionally agreed as a regulation which means it will be a single piece of legislation directly applicable across all EU Member States. The GDPR includes a number of new and increased obligations businesses will need to adhere to, including the elements described below:
There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new (e.g. the Right to be Forgotten) or enhanced (e.g. Right to Information) data subject rights that will be included in the GDPR. The Right to be Forgotten and information that should be provided when personal data is collected from the data subject is explained in a little more detail below.
In certain circumstances, businesses are required to appoint a DPO to enable those businesses to comply with its accountability obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance with the GDPR.
Under the Data Protection Act 1998 the statutory obligations are on data controllers only. However under the GDPR, data processors will also have obligations, for example, the processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities.
Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
The current Data Protection Act contains no obligation to notify the ICO or individuals concerned in the event of a personal data breach, although the ICO's guidance supports where it would be good practice to do so. The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the ICO in the UK) without undue delay and where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Where the personal data breach is likely to result in a high risk to individuals’ rights and freedoms, the controller will also need to communicate the breach to the individual without undue delay.
Under the Data Protection Act 1998, the power of the UK Information Commissioner to impose a monetary penalty is capped at a maximum of £500K. However, the potential amount that a data protection supervisory authority may impose an administrative fine under the GDPR will be increased significantly, in a stepped fining regime, with a maximum fine of up to €20,000,000 or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for specified infringements.
Individuals will also have the right under the GDPR to bring a claim for damage suffered as a result of an infringement of the GDPR.
The GDPR is due to enter into force on the 24th May 2016. Businesses will then have two years to implement changes to ensure compliance; however, a forward-thinking business would start to think about implementation requirements now, so as not to risk falling behind. Click here for a checklist on ‘how to comply’.
 Case C-131/12 Google Spain SL & Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. (2014)
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.