In around two years’ time the EU will implement the EU General Data Protection Regulations (GDPR), replacing the current Directive, and will be directly applicable in all Members States without the need for national legislation.
If the United Kingdom is still formally a member of the EU at this time, the impact on business will be profound. Even if the United Kingdom does trigger Article 50 in 2017 it is unlikely the EU will hold-off implementation of the GDPR until after Brexit (the GDPR has already been published in the Official Journal). Even if they do find a way to hold-off, it is highly likely that compliance with the GDPR will be a cornerstone of trade negotiations.
But even if you dismiss all of that and say this doesn’t apply to the United Kingdom at all – hang on just a moment. The GDPR gives the EU expanded territorial reach. So long as your business offers goods or services (even if for free) to people within the EU then you will still be subject to the GDPR.
But what is the GDPR? It’s fair to start by saying the GDPR is onerous. It is designed to boost two areas primarily: accountability and privacy. It will require your business to:
- Maintain certain documentation
- Conduct a data protection impact assessment
- Implement data protection by design and by default
In certain circumstances, your business may be required to designate a Data Protection Officer as part of an EU-mandated accountability programme. This will be an important new decision about roles, skills, and staffing for many businesses where they don’t currently have a Data Protection Officer in post.
One of the other key changes is around the obligations your business will have to report data threats and breaches within a strict 72-hour window. You will also have to tell your customers about the breach. Failure to comply can see you being fined 4% of your total worldwide annual revenues.
Consent is also bolstered under the GDPR with much more focus on “explicit consent” along with the ability for your business to demonstrate to authorities that you sought and were granted such explicit consent. No longer will a simple tick-box suffice.
The GDPR entered into force on 25 May 2016, but it will not “apply” until 25 May 2018. That might be why you have not heard much about it, until now.
Griffin Law Brexit Advisory Services is here to help you navigate the GDPR.
- What gaps exist between your current state of compliance and the standard that will be required from 2018?
- What changes do you actually need to make in a practical sense?
- What is the real risk to your business?
To book a no-obligation consultation email us today on brexit@griffin.law.
