Data protection is an issue that is making ever-more frequent appearances in news headlines, and with the implementation of a new EU-wide framework for data protection law in 2018, this should not be expected to change any time soon.
What is the current law?
Presently, the main source of legislation governing data protection in the UK is the Data Protection Act 1998 (DPA), implementing the EU Data Protection Directive 95/46/EC (DPD). Upon finding a contravention of the DPA, the Information Commissioner’s Office (ICO) has the power to impose fines of up to £500,000. The ICO has made it clear that it takes this power very seriously; to take but one example, in 2016 the telecom group TalkTalk was fined £400,000 for its inadequate protection of customer data.
What is changing?
On 25th May 2016 the EU General Data Protection Regulation 2016/679 (GDPR) was passed, thereby repealing and replacing the DPD which provided the previous legal framework. Unlike the DPD, the GDPR is directly effective in EU member states, meaning that no passing of legislation is required in order for it to apply as if it were national law. With the Data Protection Bill being introduced to the House of Lords on 13th September 2017, it has been made clear by the Government that the GDPR will continue to apply in the UK notwithstanding Britain’s exit from the EU. Due to the dramatically increased burden on businesses to meet these new standards, the deadline for compliance with the GDPR has been set at 25th May 2018.
The GDPR marks a significant shift towards the greater harmonisation of data protection law throughout the EU. It imposes new and enhanced obligations on businesses dealing with ‘personal data’, whilst widening the scope of the definition of ‘personal data’ itself. As a result, businesses will be required to change the way that they handle personal data and will have the additional burden of demonstrating that they do in fact comply with these new standards. If businesses are unable to meet these high standards, they will find themselves exposed to a dramatically heightened level of liability. Under the GDPR, the ICO will have the power to impose fines up to a maximum of €20m or 4% of global annual turnover – whichever is the higher of the two.
What should businesses be doing?
Despite the recent publicity and the fact that smaller businesses may risk insolvency if found liable for a fine, a recent survey concluded that 55% of SMEs are still not familiar with the GDPR.
If you would like to find out more about how the GDPR will impact your business, you can sign up to BakerLaw’s GDPR Breakfast Seminar on Tuesday 20th February by clicking here. We will be hosting this seminar alongside data and cybersecurity specialists ThinkMarble.
Alternatively, if you would like to discuss how you can potentially limit the liability to your business, please contact Simon Porter in BakerLaw’s Company and Commercial Department at firstname.lastname@example.org or call 01252 730754 to discuss further.