From the 25 May 2018, the GDPR will be fully enforceable throughout every member state within the European Union. This means all small and medium sized enterprises (SMEs) worldwide need to ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.
The data protection landscape has changed enormously since the Data Protection Act 1998 (DPA) and the European Data Protection Directive 95/46/EC (DPD) it implemented were introduced. These changes mean that the DPA / DPD regime are no longer fit for purpose. The new General Data Protection Regulation 2016/679 (GDPR) will replace the DPA / DPD regime with a new and up to date set of data protection regulations.
The GDPR was adopted by the European Commission and brought into force in May 2016 with a post-adoption grace period of 2 years. From the 25 May 2018, the GDPR will be fully enforceable throughout every member state within the European Union. But the GDPR also has an international dimension and it is therefore of the utmost importance that all small and medium sized enterprises (SMEs) worldwide ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.
Mewburn Ellis will be issuing a series of practical recommendations and advisory notes each month (January to May) to guide you in your efforts to review and revise your current data protection practices in order to ensure their compliance with the GDPR ahead of 25 May 2018.
Here we briefly set out an introduction to some of the key differences between the old and the new regimes that SMEs in particular will need to be aware of.
The fundamental principles of personal data protection and safeguarding the rights of data subjects remain, in essence, the same. However, the way the GDPR ensures the principles are realised has undergone substantial changes. A few of the key differences between the old and new data protection regimes are set out below.
The most material change introduced by the GDPR is the significant uplift in sanctions for breaching data protection requirements. A tiered approach will apply, such that the level of fine will depend on the category of obligation breached. But non-compliant companies could receive fines of up to the higher of 4% of their annual worldwide turnover or €20 million.
The GDPR applies to data processing activities regardless of territorial boundaries. Companies and their activities no longer have to be based or established in the EU to be subject to the European data protection rules. Instead the obligations under the GDPR connect with the EU resident data subjects themselves. The result of this change means that a company whose activities relate to either: (i) the offering of goods and services to EU citizens (whether these are offered for free or not); or (ii) the monitoring of behaviour that takes place within the EU, will be subject to the GDPR.
The rules around data subject consent have also undergone substantial changes and have been dramatically strengthened to ensure that all requests for consent are made clearly and in intelligible and easily accessible forms. For example, pre-ticked boxes to indicate consent boxes will no longer be acceptable.
Data subject rights have also been revamped, with brand new rights being introduced and the enhancement of existing rights, including the following:
The Mewburn Ellis legal department offers a comprehensive suite of advisory services in relation to data protection and GDPR compliance. Contact Emma Gallacher or Sean Jauss to discuss what your business needs to do ahead of 25 May 2018.
More information is available on the Information Commissioner’s Office webpages:
Performing a data and information audit of your company to identify precisely what personal data you currently process is the first step in becoming GDPR compliant.