With effect from May 25th 2018—in other words, less than a year away—your business is exposed to a new regulatory regime backed by hefty fines. And by ‘hefty’, we’re talking fines of the higher of either €20 million, or 4% of annual worldwide sales revenues.

 

The regulatory regime in question? The new EU-wide General Data Protection Regulation— the biggest change to data protection law for a generation—which imposes even stricter data protection requirements on businesses, and a far tougher penalty regime.

 

And don’t imagine that Brexit will remove the need for compliance. For one thing, the UK is not due to leave the EU until March 2019 (after the General Data Protection Regulation has come in force) and, for another, the government has indicated that it will adopt the General Data Protection Regulation.

 

In other words, the General Data Protection Regulation—and its tough new penalties for non-compliance—is coming. And businesses had better be prepared.

 

What does the Regulation call for?

 

For most businesses, the problem posed by the General Data Protection Regulation is that it is a radical departure from existing data protection requirements in two key areas.

 

First, it gives additional rights to individuals whose data is held by businesses. And second, it imposes a significant number of new obligations on businesses.

 

Which rights? What obligations? Essentially, these stem from the General Data Protection Regulation’s guiding principles:

 

* Individuals will have a ‘right to be forgotten’

* Individuals must have easier access to their own data

* Individuals may need to give explicit permission for their data to be processed

* Individuals may need to be told about data breaches

* Individuals will have the right to ask for their data in portable, electronic format

 

All of which, we would suggest, will certainly give pause to businesses accustomed to the established regime of the UK’s existing Data Protection Act.

 

A very different approach

 

What will it mean in practice? Much of the coverage that we have seen of the General Data Protection Regulation in the press, while not exactly wrong, seems to us to miss some important aspects of the General Data Protection Regulation.

 

Yes, if a breach of sensitive data occurs (or is suspected), then businesses must quickly notify all the individuals concerned. Yes, businesses will have to clamp down on the practice of personal data being held on theft-prone laptops and USB drives. And yes, businesses will need to make greater use of encryption.

 

But more fundamentally, many businesses will need to make significant changes to the way that they collect, record and handle personal data. And the impact of these changes will need to be understood right across the business, and in particular by those (in marketing, human resources, sales, and IT) whose role embraces dealing with personal data.

 

What’s more, from a legal point of view, a great many documents, statements and contracts will need to be re-drafted.

 

Extensive re-drafting

 

Privacy policies and statements, for instance, will have to set out—very specifically—how and why the business holds personal data, for how long, and how the business will implement new rights such as the ‘right to be forgotten’.