EU GDPR – new rules, wider reach – the biggest change to data protection laws in 20 years
On 25 May 2018, the EU General Data Protection Regulation (GDPR) (2016/679) will come into effect. It’s the biggest change in data protection for 20 years – and something that companies should be preparing for.
With penalties of up to €20 million, or 4% of total worldwide annual turnover of the preceding year, and the opportunity for data subjects to sue, data protection and its scope will now become increasingly important. Indeed, it will be a topic at board meetings in the future.
End of implementation period
After four years of negotiation, GDPR was finally adopted on 27 April 2016. It comes into effect after a two-year implementation period. One law firm has described it as the “most ground-breaking piece of EU legislation in the digital era” – and with good reason. It will make businesses more accountable for data privacy compliance and offers individuals extra rights and more control over their personal data.
The GDPR does not need to be transposed into local law in each EU member state. This is a directly-effective regulation which will be immediately effective across the 28 countries, aiming to remove inconsistencies in how the data protection law is applied in Europe.
GDPR will bring many changes such as: increased rights for data subjects; ‘extra territorial scope’; reporting of breaches by a data controller within a 72-hour timeframe; and data protection considerations for project management called ‘privacy by design and default’.
From a jurisdiction perspective, it will introduce a lead EU regulator for multinationals in their ‘main place’ of establishment. There will also be an extension of scope of EU data protection rules, applying them not only to controllers established in the EU, but also to non-EU controllers and processors, if that processing relates to offering goods and services to individuals in the EU.
UK to copy EU laws
Although the UK is due to leave the EU by March 2019, the GDPR will take effect beforehand. The UK government put forward a new Data Protection Bill in August 2017 that largely mirrors GDPR’s own requirements. By effectively copying GDPR laws into the UK’s own laws, the government makes it likely that the UK’s data protection standards will be acceptable to the EU, and therefore the country should be whitelisted as a safe place to transfer EU data. This will be essential for businesses that transfer data between the UK and EU.