August 3, 2016

The Data Protection Act 1998 provides rights to individuals on how their personal information is processed by data controllers. It is based on EU law.

If you process personal data, which applies to most businesses, the Data Protection Act will apply. It is no doubt one of the most expensive legislative regimes given the administrative cost of compliance, enforcement and potential fines.

The General Data Protection Regulation 2016 (“the Regulation”) updated and harmonised data protection law in the EU. There was a corresponding increase in obligations in respect of personal data. Key changes under the Regulation are:

Expanded territorial scope. Non EU controllers and data processors may be subject to the Regulation in certain circumstances
Increased enforcement powers with the potential for fines increased to €20M
Increased compliance obligations – requirement of a designated data protection officer, data breach notification
Obligations on data processors
Privacy by design and default
Subjects’ rights to erasure and to object to profiling
The Regulation comes into effect on 25th May 2018. Businesses have a 2 year lead in time to comply.

The UK electorate voted to leave the EU. This involves a number of steps.

This does not mean that EU laws, including the Regulation, no longer apply. The vote has no legal effect per se. It is an instruction to the UK government to leave the EU. It must officially inform the EU and negotiate an orderly withdrawal. The process could take several years.

In the short term all EU laws will continue to apply. In the long term the Regulation is also likely to have effect. Apart from the Regulation’s potential application outside the EU, the UK will want to continue to trade with the EU. To do so it must be considered an “adequate jurisdiction” for data protection, such as Andorra or Israel. Any adequacy determination would require the UK to adopt data protection provisions are aligned to Regulation. There were recent issues as to whether the US’ “Safe Harbour” was adequate with severe implications.

Presumably the UK’s new trading partners will also require assurances on data protection. It may be better to implement the Regulation wholesale, which is something the EU already accepts, rather than try to re-invent the wheel.

On a practical level, it is in businesses’ interests to have the Regulation or equivalent data protection regulation in place. The threat of hacking and other forms of cyber crime increases daily. Implementing a data protection regime is an important part of managing the cyber risk which most, if not all, businesses now face.

There is a lead time of 2 years for businesses to prepare themselves for the Regulation. This may involve a considerable amount of work to have practice, policies and procedures in place which are data protection compliant. Businesses should start now rather than a wait to see approach which could waste valuable time.

Michael King is a commercial litigator and certificate data protection practitioner. He specialises in intellectual property law and information governance to include data protection issues.