The General Data Protection Regulation, or ‘GDPR’, spells out the future of data protection in Europe.
The new regime isn’t all bad. Once adopted by our Information Commissioner’s Office (ICO) in the United Kingdom and other national bodies, it will lead to a much more consistent approach to data protection across the EU. There appears to be a more risk-based approach to compliance, and there is the notion that businesses operating across the EU will have a “lead” data protection authority to deal with, based on criteria that are still to be fully agreed. In addition, there will be no requirement that a business must notify their appropriate local authority (in our case, the ICO) of their data processing activities.
However, with these benefits comes ambiguity and, in the end, the potential for significant additional cost. This is because many of the GDPR’s most onerous provisions, which were once to be cut back or eliminated for some or all SMEs, may now apply to SMEs. At this stage, much remains unclear. What is clear is that businesses should be aware of the proposed regime, so they can react as appropriate when the time comes.
For one thing, enhanced enforcement powers mean that the UK maximum fine will go from £500,000 to, potentially, €100,000,000 or a percentage of global turnover, whichever is greater! Clearly, fines of this magnitude will likely only be applied in extreme circumstances, and indeed may never be adopted in the final text, but such levels of enhanced risk are clearly something all businesses could do without. This issue, along with some of the other proposed requirements discussed below, will make it more likely that businesses may feel compelled to appoint a data protection officer, even if they are not required to do so under the law.
In addition, obtaining the consent of data subjects may become much more onerous, as implied consent is replaced with a requirement for explicit consent. Getting a customer to tick a box will work, but requiring a customer to untick a pre-ticked box if they don’t consent is not acceptable. Therefore, all businesses that rely on data collection will need to explore their means of obtaining consent.
For businesses that have always relied on being data processors rather than controllers, beware – the regime for processors may get a lot tougher and, in that sense, more closely resemble the kind of requirements currently imposed on data controllers. With this in mind, it will likely become more difficult for businesses to negotiate their data processing clauses and agreements, as processors attempt to continue to minimise their exposure and controllers attempt to put more burden on their processors.
In terms of data breaches, the GDPR requires notification of their local authority without undue delay and, most probably, within 24 hours. This means that businesses will need to think much more carefully about developing an action plan for data breaches, similar to the work they put into business continuity planning.
Finally, the “right to be forgotten”, which means what it says on the tin, and the right to object to profiling, which can impact businesses that utilise online tracking and behavioural advertising, will create challenges for many.
In the end, a lot is changing. Most of these changes increase the burden on businesses and, right now, might or might not fully apply to SMEs. Here at Woodfines, we specialise in representing SMEs and owner managed businesses, being one ourselves, and will therefore keep abreast of the new regime as it reaches its final form and takes effect within the business community. To speak to us about any issues relating to data protection, please contact a member of our Company Commercial team.
For further information on our services in Data Protection, please click here.