EU data protection laws are going through their biggest change in two decades. The question is where will Brexit fit in with this change? The General Data Protection Regulation (GDPR) was adopted by the European Parliament in April 2016 and will be directly applicable throughout the EU, meaning that national parliaments do not need to implement domestic legislation to enact the new law. The GDPR comes into full effect from 25 May 2018 onwards, being a date on which the UK is still likely to be a full member of the EU according to the government’s current timetable. Indeed in the UK the GDPR will mostly replace the Data Protection Act 1998.
What does the new regulation say?
Firstly it tightens up the law around security breaches so as soon as the data controller becomes aware that a breach has occurred it should without undue delay, and not later than 72 hours, notify the Information Commissioner’s Office (ICO). Secondly it provides further clarification on the issue of personal consent so if the data controller relies on the consent of the data subject they must be able to show that the consent was freely given, specific, informed and unambiguous for each stated purpose that the data is being processed for. Thirdly it creates the new post of Data Protection Officer to comply with, which is in addition to the current concepts of a data controller and data processor. Finally and perhaps most radically, the GDPR introduces the right to be forgotten, which means that data subjects be able to request that their data is deleted by the data controller.
Therefore the changes are wholesale, indeed not only are the rules tightened up but the penalties for breaches are also increased. Security breaches will attract a fine which could be as high as 4% of the data controller’s global annual turnover, and further the new regulation introduces an updated right for data subjects to seek compensation and damages for data breaches. The right to damages exists separately and is not mutually exclusive to the authorities’ legal rights to impose fines.
What of Brexit?
As stated above the UK is very probably likely to still be a full member in May 2018 when the new regulation fully comes into force across the EU. Furthermore according to the government’s proposed Great Repeal Bill, all EU laws in force on the date of the UK’s final exit will remain on British statute books. Therefore the GDPR will be the new legal framework on data protection in the United Kingdom. It is strongly advisable for all data controllers in the UK to use the period of time until May 2018 to become fully compliant with the new regulation not least given the increased financial implications for non-compliance.
If the contents of this article interested you and you wish to discuss this or any other matter further please do contact us using the contact form contained on this webpage.