The GDPR promises sweeping changes for the Europe’s data security landscape – what can the UK’s businesses expect?
The General Data Protection Regulation (GDPR) is set to overhaul the way businesses across Europe collect, store, and process data. Building on existing legal framework, the GDPR regulations must be adopted by 25 May 2018 – and businesses which fail to comply face the prospect of hefty fines.
Although the UK is in the midst of Brexit negotiations, the GDPR is still set to take effect on the May 2018 deadline – meaning businesses shouldn’t delay in exploring the impact the new regime will have…
What is the GDPR?
The GDPR essentially harmonises the data security environment in place across the EU, introducing tougher data protection legislation and bringing individual member-states into line with the rest of the bloc. Behind the GDPR is an intent to give individual citizens greater control over how their data is used – especially in an era where organisations frequently swap and sell digital data online.
The GDPR is also intended to make data protection easier for businesses themselves – streamlining and clarifying the data-handling process in a way which makes it more efficient, and saves money. In fact, the EU has estimated the GDPR will save businesses a collective €2.3 billion per year.
Impact on the UK
While Brexit will bring a variety of significant legislative changes to the UK, implementation of the GDPR will nonetheless go ahead on the proposed date – which (in any case) falls before the UK’s scheduled exit from the EU. The UK government has further committed to implementing the GDPR (by its deadline date) via the Data Protection Act, which was voted into law in September 2017.
Given this commitment, the GDPR’s impact on UK businesses will be essentially the same as it is on their counterparts in the EU. Practically, this means that UK businesses should work to both understand the impact the GDPR will have, and decide how to adapt.
Details of the GDPR
To create its new data regime, the GDPR focuses on the specific legal responsibility of parties within a data-relationship. It defines the roles of the ‘data-subject’ who owns the data, the ‘data-controller’, who decides how the data is to be processed, and the ‘data-processor’, who actually handles and processes the data on behalf of the controller. Broadly speaking, the GDPR imposes a number of obligations on controllers and processors and introduces a range of tougher data protection standards. In a practical sense, both UK and EU businesses must be prepared for a variety of new security measures, including:
- Accountability: Under the GDPR, data processors will be accountable for security breaches which occur in the course of the provision of their service. This means controllers and processors will now be jointly liable for GDPR compliance failures.
- Breach reporting: Controllers must notify the Data Protection Authority within 72 hours in the event of a data breach which threaten the ‘rights and freedoms’ of data-subjects
- Individual rights: The rights of data-subjects are expanded under the GDPR. New rights include the ‘right to be forgotten’ (have data removed), the right to transfer data, and the right to object to how data is processed and used for marketing purposes.
- Documentation: Controllers will now have enhanced record-keeping responsibilities regarding their data processing activities – these include the categorisation of data, international data transfers, breach incidents, and the provision of verifiable consent.
- Assessment: Controllers and processors must carry out impact assessments on ‘high-risk’ processing activities. Controllers must demonstrate the steps they have taken to address risks, and build security into their infrastructure ‘by default’.
- Data Protection Officers: The GDPR will require organisations with systematic, large-scale, or public data handling duties, appoint a qualified Data Protection Officer with oversight duties.
Despite the impending GDPR deadline, research suggests a significant number of UK businesses have still not taken sufficient steps to prepare for its implementation. Figures from the end of 2017 showed that more than 44% of employers were not aware of the GDPR, while a government study in January 2018 revealed that only 25% of businesses which had heard of the regulation had made any changes to their operations. Fines for non-compliance with the GDPR can reach up to £17 million (or 4% of global turnover) in the most serious cases – plus any resulting reputational damage. Given that the UK is the top destination in Europe for tech investors, and the increasing threat of cyber-crime, it is vital that the country’s businesses take steps to become compliant with the new regime.
UK employers who are still unprepared for the GDPR still have time to address the issue – and take sufficient steps to ensure the impact it has on their business is a positive one.