Data Protection – Out with the old and in with the new
On May 25, our current data protection regime is going to be swept away and replaced by a new set of regulations in the form of the pan-European General Data Protection Regulations (GDPR), writes Andrew Priest, partner and head of technology at law firm Hewitsons.
It is not quite taking a new broom and sweeping away the entirety of what we have had for the last 20 years or so, but it is a good tidying up of established principles and should make businesses take a fresh look at how they collect, use and take measures to protect personal data.
The GDPR is going to be the new kid in town. As such, it will introduce us to a few new concepts that should get businesses thinking about data protection issues as they may never have considered before.
As lawyers, we will warn that fines for non-compliance can be as much as €20 million, or up to four per cent of annual worldwide turnover – whichever is higher.
That alone should be enough to make senior managers and decision makers sit up and take notice. We will also talk about the new principle of ‘accountability’ and the need to be able to demonstrate that you are complying with the new regulations. That is not something that businesses have had to do before.
After that, there are lots of new obligations about what to do to report any data protection security breaches, not just to the Information Commissioner’s Office (ICO), but also in some cases to clients and customers whose data has been affected.
There will certainly be data security breaches, however well the data is protected (or you think it is protected) and that kind of reporting will not come easily to many businesses.
But it is not all doom and gloom. Under the current data protection regime, if you process personal data in different countries across Europe, you are required to consider the different data protection rules that apply from country to country.
The GDPR will create a level playing field for data protection rules across Europe. If you comply with the new regulations in one European country, you shouldn’t have to worry about non-compliance in any others.
One other positive point to note is that a lot of the ‘red tape’ associated with registering for data protection will be done away with. There will no longer be any requirement to register details of your data processing with the ICO, for example.
But let’s not be under any illusions. The GDPR is a complex set of rules and regulations, and any legislation which runs to more than 200 pages requires your attention and demands that you take steps now to ensure compliance. May 25 will be a date of significant change, but there will be no transitional period, so requirements of the GDPR need to be taken seriously now and in the first few months of next year.
For some businesses, compliance with the GDPR will represent more of a challenge than for others. For many, it will depend on how seriously data protection issues have been considered and dealt with up to this point.
But the new kid on the block can’t be ignored. He’s got a new broom and he won’t be afraid to require sweeping changes. Just don’t let him come knocking at your door!