This year will mark one of the largest legal movements in data protection history – the formal adoption of the EU General Data Protection Regulation (the “GDPR“).
The long-awaited GDPR brings significant changes to UK data protection law. Once in force, it may mean the EU has the most stringent data protection laws in the world. The GDPR is far-reaching – it can apply to anyone offering goods or services or monitoring behaviour on anyone in the EU. It is therefore imperative to be aware of the changes to ensure you have robust processes and procedures for dealing with data protection – whether as a data controller or data processor.
The Data Protection Act 1998 (the “DPA“), the cornerstone of UK data protection law, implements the EU Data Protection Directive 1995. Given that these laws came into force in the 1990s – when there was no cloud computing, social media etc – they are outdated. The GDPR, being a regulation, means it is “directly applicable” to all member states. As such, it will apply throughout the UK without the government needing to transpose it into national law.
The GDPR’s final text has been agreed following trialogue. Key changes to the DPA in such text include:
While the changes may seem burdensome to businesses, there is a silver lining. The direct implementation of the GDPR will make all EU countries much more uniform in their approach to data protection. This means that multinational businesses can take more of a “one size fits all” approach with their processes and procedures as if such processes and procedures are lawful in one country, they are likely to be lawful in another EU country. Multinational businesses need not deal with each national data protection authority. Instead, they will only be required to deal with the data protection authority in their main place of establishment.
The GDPR is also designed to reduce “red tape” for businesses. For example, SMEs will no longer be required to notify the Information Commissioner that they are a data controller.
The GDPR is anticipated to be adopted by the European Parliament and Council shortly. It will come into force two years after it is formally adopted. Until the final text of the GDPR is approved, there is always the possibility that further changes could come into play. Businesses will, however, need to plan for these changes and ensure their processes and procedures are robust and fit for the upcoming changes and for data subjects having more control over their personal data. Data controllers and processors have just over two years to prepare for this significantly tougher regulatory environment. Do not underestimate the significant workload that may be required to ensure your organisation complies with the GDPR.
Watch this space for further updates soon.
We can provide a three hour comprehensive, customised and practical training session on data protection law which can be pitched at a level and place to suit your individual business needs.
Author: Noor Al Naeme
For further information, please contact Tom Torkar, Partner in the Technology & Innovation team at tom.torkar@michelmores.com.
Hosted and sponsored by Michelmores and organised by the SCL Tech Transactions Group. Join SCL’s Technology Transactions Group on 28 November 2024 for a half day event focusing on how...
Our next MAINstream Pitch Event will be taking place at our Exeter office on Tuesday 3 December. There will be time to catch up over...