The European Commission has recently moved to strengthen and improve data protection laws in the European Union, with the introduction of the General Data Protection Regulation (GDPR).
The GDPR comes into force in May 2018 and operates similarly to the Data Protection Act that it replaces. Although the current legislation applies to all “personal data” that is received by organisations, following advancements in technology, the new legislation offers a broader definition of “personal data”, with online identifiers – such as IP addresses – receiving greater protection than previously.
However, the GDPR will also catch data controllers outside the European Union, meaning that for the first time, data protection laws will be extended to companies that do not operate in EU member states, but are instead merely targeting them.
Organisations that fail to meet the new GDPR guidelines will be subject to significantly higher fines than are applicable in the current UK Data Protection Act, which caps maximum fines at £500,000.
Under the new legislation, organisations will be fined on a two-tier basis, depending on the severity of the data protection breach. For violations that relate to record keeping, data processor contracts, security breaches and data protection by design, organisations will be required to pay up to 2% of their annual worldwide turnover or €10 million, depending on which amount is greater.
Meanwhile, for organisations that breach data protection principles, conditions of consent, subject rights and international data transfers, up to 4% of annual worldwide turnover can be imposed as a fine under the new rules.
With the GDPR coming into force in May 2018, questions have been raised as to how this legislative change will affect the United Kingdom. With the likelihood of the UK completing its formal withdrawal from the EU by that date thought to be extremely low, British businesses should expect to be subject to the new legislation.
It is expected the UK will have left the EU by the end of March 2019. After that date, the UK government may keep GDPR as it is, amend or even introduce new laws as a way of making the UK an attractive place for companies to do business. Regardless of Brexit, companies that trade with businesses or individuals in the EU will need to comply with the GDPR.
Here at London Registrars, we provide a range of services to help ensure that your organisation is on the right side of all applicable legislation. Our risk and compliance services are designed to protect your organisation, its employees and client base, whatever the sector in which your firm operates.