Edward Sloan
Founding Partner London, Rooney Nimmo
GDPR is coming. Don’t get caught out.
Will the European Union’s new data regulation affect you? If you do business in the European Union (“EU”) or offer products or services to EU citizens, the answer is very likely yes.
While a discussion on Brexit is beyond the scope of this article, the GDPR is being implemented in the UK and will form part of UK law ahead of Brexit taking place. It is likely that after Brexit, in the short term at least, the UK will look to maintain equivalence with EU laws including the GDPR.
On May 25, the EU’s General Data Protection Regulation (GDPR) will completely overhaul the way its citizens’ data are protected, increasing transparency and individual control of data. But here is the catch: enforcement of this regulation doesn’t stop at the borders of EU member states. GDPR applies to all entities worldwide that process data of individuals in the EU, regardless of whether or not that entity has a physical presence in a member state. Noncompliance with the GDPR could be extremely costly in both capital and reputational equity.
One of the most significant shifts in data privacy regulation in decades, GDPR is paving the way for the EU to set a global gold standard, a proclaimed goal of Brussels. The EU began reforming its preexisting data protection laws in 2012, working to put individual privacy on the map as a human right. The resulting GDPR, approved by the EU Parliament in 2016, will completely replace the 1995 Data Protection Directive, increasing citizens’ control over their own data and giving EU member state regulators the power to prosecute well beyond the borders of the EU.
The central provisions of GDPR focus on permissions and control. “Data controllers” (the technical term for entities that determine the purpose and means of the processing of personal data of EU citizens) will only be permitted to process personal data if one or more of the six lawful bases set out in the GDPR applies.
The six bases are (in brief):
Consent: if the individual has given free, specific, informed and unambiguous consent for you to process their personal data for a specific purpose.
Contract: if it is necessary for performance of a contract you have with the individual.
Legal obligation: if it is necessary for you to comply with the law.
Vital interests: where it is essential for the life of the data subject or another natural person.
Public task: if it is necessary for you to perform a task in the public interest and the task or function has a clear basis in law.
Legitimate interests: if it is necessary for your legitimate interests or the legitimate interests of a third party (where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject).
GDPR also mandates that data controllers comply with requests from individuals for copies of their data records or to activate their “right to be forgotten”, which guarantees complete erasure of their data in certain circumstances.
Further, data controllers must follow specific reporting protocols within 72 hours of discovering a data breach, with organizations that process or monitor data of EU citizens on a large-scale subject to further regulations, such as appointing a data protection officer and undertaking data protection impact assessments.
Failure to comply with GDPR’s provisions could be expensive and embarrassing. The penalty for violation is up to €20 million or 4 percent of annual global revenue—whichever is greater—plus irreversible damage to your organization’s reputation.
No doubt tech giants like Facebook and Google will be held rigidly to these new standards, but do not expect enforcement to be restricted to high-profile companies—you too could be targeted. All too often regulators choose to single out vulnerable transnational organizations that may have limited resources and little to no home court advantage to serve as a reminder that no one is immune from prosecution.
Being proactive and compliant is essential to protecting yourself and your organization from GDPR litigation. It is highly advisable to consult a professional to thoroughly review GDPR’s potential impact on your organization, and to determine next steps to ensure compliance. Undertaking a review now and getting matters in order is always much simpler (and cost effective) than when enforcement action has begun – which by then is much too late.