If it was not already on your (or your clients’) radar, data protection laws in the EU are changing substantially on 25 May 2018 when the General Data Protection Regulation (GDPR) comes into force. Brexit will not affect the introduction of the GDPR in the UK. The UK Government and the Information Commissioner (“ICO”) have made it clear that the changes brought in by the GDPR will continue after Brexit as implemented through a data protection bill (currently in draft form).
EU lawyers will be familiar with changes introduced by the GDPR. They include many additional and more onerous obligations such as detailed record keeping and documentation requirements, and some significant new data protection concepts. In addition, the penalties for getting it wrong are much more severe than under current data protection law with potential fines of up to 4% worldwide turnover or €20m (whichever is greater).
Law firms located outside of the EU should take note that one of the key changes introduced by the GDPR is to extend the territorial scope of EU data protection laws so that many non-EU businesses who market to, or monitor (including online profiling), consumers in the EU will be directly subject to the GDPR. There is also a requirement for organisations subject to the GDPR’s “long-arm” jurisdiction to appoint an EU based representative.
Other key features
GDPR readiness
We have been providing a lot of advice to clients, both in terms of their regulatory obligations where the businesses hold a lot of sensitive data on their customers, as well as in respect of their employees in the UK. This is particularly the case where data is also going outside the EU, to parent companies in (for example) North America.
We have also been assisting our clients through GDPR readiness projects and data audits. The GDPR may require significant changes for businesses and as some of these changes require substantial lead time, the sooner preparations are started the better.
In particular we are:
Draft data protection bill (DP Bill)
We are also consulting the DP Bill in relation to our data protection work. The DP Bill was published on 14 September 2017 and aims to modernise the UK’s data protections law and ensure that the UK is prepared for the future after it leaves the EU.
The DP Bill is drafted with explicit reference to the provisions of GDPR and implements the standards and concepts introduced by it. In addition, the GDPR gives member states limited opportunities to legislate on data protection matters. This includes where the processing of personal data is required to comply with a legal obligation, relates to public interest issue or is carried out by a body with official authority. Processing of employee data is another significant area where member states may take their own approach. One element of the DP Bill is to give more details in relation to these matters. It is therefore important the GDPR and the DP Bill are read side by side.
However, the DP Bill is not limited to GDPR provisions. It also covers:
The DP Bill is very much in draft form and there is no guidance yet in relation to it. However, we will continue to monitor any developments in respect of the DP Bill and guidance as may be issued by the UK government or the ICO.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.