New Data Protection laws approved
Data protection law is about to undergo a seismic change that will affect every business in the UK.
The European Union's political bodies finally reached agreement regarding the wording of the new General Data Protection Regulation ("GDPR"). This means that the content of the new law is unlikely to change until the formal adoption of the GDPR in the early part of 2016. This will be followed by a 2 year grace period during which businesses across the European Union will be allowed to get to grips with the new law before it finally becomes binding and the old laws are repealed.
The GDPR is the biggest change to data protection law in twenty years. The existing laws (in the UK, the Data Protection Act 1998) were implemented at the dawn of the internet age; since then there have been significant changes in the way that businesses and consumers use the internet and in particular how they store, use and transfer personal data. In particular, serious data security breaches continue to draw significant attention from the press, consumers and the Information Commissioner's Office ("ICO"). The GDPR is designed to make businesses focus on data protection "by design and by default", meaning that data protection can no longer be an after thought in business planning and there are much tougher penalties for those businesses that break the law
Some of the headline changes from the GDPR are:
- the introduction of higher fines, potentially up to 4% of Worldwide turnover (increased from maximum £500,000);
- the creation of new obligations for data processors;
- the introduction of the "right to be forgotten";
- a duty to notify the ICO of data security breaches without undue delay and within 72 hours (there is currently no statutory obligation to report breaches);
- the requirement to appoint a data protection officer where the business' core activities consist of regular data monitoring.
For more information, contact Matthew Holman.