In the protean landscape that has come to typify the interaction between personal data, the digital world and the law, things are about to change again.
Following years of consultation and debate, on 25 May 2018 the General Data Protection Regulations will take effect in every EU Member State, bringing with it significant reforms.
The overarching effect of the new Regulations will be to iron-out the panoply of different approaches that have evolved across the EU into a smooth and consistent one.
While the uniformity is a welcome change for those looking to do business in various Member States, the regulatory load is not exactly getting any lighter.
In terms of the impact on businesses and public bodies, the key changes being introduced are:
- an expansion in territorial scope, beyond businesses ‘established’ in the EU, to include those just ‘offering’ goods or services there
- a broadening of the definition of personal data
- a tightening up of the criteria for consent
- an increase in the rights of data subjects
- a mandatory requirement to notify the regulator (and sometimes the data subject) in the event of any data breach within 72 hours
- a requirement for some businesses to introduce full-time data protection officers; and
- an introduction of direct obligations for data processors
The overriding concern, however, is doubtless going to be the new bullet loaded into the regulatory chamber in the form of powers to issue massive fines.
For some breaches, a fine of whichever is the higher out of €20m, or, four percent of worldwide annual turnover for the previous financial year will be payable.
To put that in perspective for a UK based entity, there are some types of breach for which the new minimum fine issuable is nearly 40 times bigger than the maximum possible fine currently issuable by the Information Commissioner's Office.
When you factor in the expansion of scope and more onerous notification requirements, the liability risk from data breaches will skyrocket overnight.
What’s that you say? Don’t worry about it? Brexit means the Regulations won’t have an impact on us? Life’s never that simple.
The date on which the Regulations come into force precedes the date on which the UK will formally leave the EU, and, with no sunset clause for EU laws after we leave, all of them will be automatically transposed into national law and continue to have the same effect.
Might Parliament repeal the Regulations once we leave the EU? They might, and, with the fines proving particularly controversial, there is an argument for alterations to be made.
However, despite all the hyperbole about isolationism, given that we are in the midst of the digital age, often referred to as the fourth industrial revolution, it is hard to see the UK completely departing from the rules being heralded as a ‘major step towards a Digital Single Market’.
Tim Kirkconel is solicitor at commercial law firm, Wansbroughs Solicitors, with expertise in property, commercial and corporate law.