A New Data Protection Landscape
By Sharon Fryer (assisted by Jamie Cawthorn)
The General Data Protection Regulation (GDPR) adopted earlier this year represents a milestone in data protection laws.
The aim of the GDPR is to give control over personal data (data that relates to a living person including name, email address, mobile number, social media ID etc.) back to the individual. More broadly, it is a recognition of the growth of the digital and a response to the exponential growth in consumer-facing and mobile technologies.
Coming into force in 2018, the GDPR contains some of the most stringent data protection laws in the world. Any business which offers any type of service to people in the EU, regardless of whether it stores or processes data within the EU or not, will have to comply with GDPR. So, it will remain relevant to many UK businesses following Brexit.
Consent for data processing must be informed, unambiguous, freely given and separate from any other terms and conditions. Data must only be used for the purpose for which consent is given. It must be as easy to withdraw consent, at any time, as it is to give consent.
Consequences of breach
Data controllers will have to notify the relevant supervisory authorities of any data breaches without undue delay. Affected individuals must also be notified, if there is a significant risk of harm to them.
Fines and compensation
Failure to comply with the GDPR may result in very heavy sanctions. The most serious infringements can be punished with the higher of 4% of annual worldwide turnover or EUR 20 million. Fines are calculated by reference to the revenue of an undertaking as a whole, not only the revenue of the specific legal entity which committed the breach. It is also easier for individuals to claim compensation under the GDPR.
The scale of fines, the potential for civil claims and the resulting reputational damage must make compliance a high priority. So, it is important to begin preparations soon, to assess any areas of weakness and ensure they are corrected before the GDPR takes effect.
If you require further information or advice regarding the contents of this article please contact Sharon Fryer.