The EU General Data Protection Regulation (GDPR) takes effect in May 2018. The Regulation is wider in reach than the current Data Protection Act; it confers more rights on subjects and more obligations on those controlling and processing personal data. Given the potential impact on businesses of these changes, it is essential  that firms start to prepare now to understand how the regulation may affect them and what steps they may need to take to ensure they are able to comply.

GDPR mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

It applies to processing carried out by organisations operating within the EU. It also captures those organisations outside the EU which offer goods or services to individuals in the EU. The GDPR applies to ‘data controllers’ and ‘data processors’; if your firm is currently subject to the DPA, it is very likely you will also be subject to the GDPR.

What are the areas impacted?
The GDPR will supersede national regulations such as the UK Data Protection Act (DPA), unifying data protection across the 28 EU member states and takes effect from 25 May 2018.

Key changes relate to:

• Expanded territorial reach
• Accountability and control
• Data breach notification requirement
• Appointment of Data Protection Officers for certain firms
• The role of data processors
• A right to be forgotten
• Consent from data subjects

In our view, the most significant change is the accountability principle, which requires firms to demonstrate how they comply with the principles of the Regulation e.g. by documenting the decisions taken and evidencing the controls in place. Practically, this is likely to mean more policies and procedures for firms.

If you are a data processor, the GDPR places specific legal obligations on you and you will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR. However, if you are a controller, you are not relieved of your obligations where a processor is involved, as the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

In addition, the ePrivacy Directive (implemented in the UK by the 2013 Privacy and Electronic Communications Regulations) will, from May 2018, define consent by reference to the GDPR, imposing additional constraints on firms wishing to carry out direct marketing by email, telephone or fax.