After four years of drafting and negotiation, the wording of the General Data Protection Regulation has now been finalised and the Regulation will come into force across the European Union on 25 May 2018. The aim of the Regulation is to ensure that the fundamental right to personal data protection is guaranteed across the European Union.
The Regulation will have direct effect in all EU member states and, if the UK is still a member of the EU in 2018, the Regulation will effectively replace the Data Protection Act 1998. The central themes of the Regulation are not radically different from those in the Data Protection Act but the Regulation will alter a number of the existing requirements imposed on organisations and create several entirely new obligations. However, enforcement of the data protection obligations will be tightened under the Regulation and the maximum potential fines which the ICO can impose for data breaches will rise from £500,000 to €20,000,000 (or up to 4% of the total worldwide annual turnover of the organisation, whichever is higher).
The impact of the Regulation on organisations in the UK will now depend on the outcome of the EU referendum in June. If the UK remains in Europe, private and public organisations which process personal data will need to begin reviewing how they handle personal data to ensure their compliance with the impending Regulations.
The Information Commissioner is encouraging organisations to now start their preparations for the implementation of the Regulation.