A guide to the new General Data Protection Regulation (GDPR) – Part 1 of 5
Following three years of deliberation, in April 2016 the European Parliament and European Council finally adopted the approved General Data Protection Regulation (GDPR).
The GDPR will replace the current Data Protection Directive (which was incorporated into English law as the Data Protection Act 1998 (DPA)) and will deal with the protection of individuals regarding the processing of their personal data, as well as the free movement of that data. As it does not require the implementation of national legislation, it is expected to come into force in all EU member states during the first half of 2018.
Article 50 was triggered on 29 March 2017, meaning that the UK will leave the EU on 23 March 2019 at the latest. Based on the expected timescales for exit, it is highly likely that the UK will still be a member of the EU when the GDPR comes into force on 25 May 2018.
It is important for businesses to be aware of this new legislation and to start preparing now as they may have to significantly alter their existing data protection practices in order to ensure compliance.
The increased sanctions under the GDPR also provide an extra incentive for ensuring that businesses are compliant from day one because national data protection authorities (such as the ICO) will have the right to impose fines of up to 4% of an organisation’s worldwide turnover or €20m (whichever is the greater) for certain breaches of the GDPR (such as failing to comply with the requirements for consent).
This post forms part of a series of blogs in which we provide guidance on some of the key talking points that your organisation will need to know regarding this new legislation.