On 14 April 2016 the European Parliament (EP) finally approved the new General Data Protection Regulation (GDPR) which will harmonise data protection rules across all the EU member states from 2018. At the same time the EP also approved a new EU Trade Secrets Directive which similarly will set a minimum common standard for laws protecting trade secrets within the EU. Data protection rules will become more onerous and organisations will face potentially crippling fines of up to 4% of their global turnover for data protection breaches. Currently the maximum penalty in the UK is £500,000.
The new rules focus on protecting individuals’ privacy and there will be a much stricter requirement to obtain explicit consent before processing and holding their personal data. There will be a new duty to report any data protection breaches within 72 hours of them occurring and for larger organisations it will be mandatory for organisations to have a data protection officer.
The GDPR will not come into effect until 2018 but as the changes are likely to have a far reaching effect on how organisations process their data, planning and implementing changes in preparation needs to happen as soon as possible.
The Information Commissioner has prepared a helpful 12 step guide to preparing for the GDPR.
Subject of course to the outcome of the EU referendum, organisations need to take the initial steps of reviewing what personal data they process and their policies and procedures relating to such data. Organisations will also need to consider commercial contracts and make sure that any organisations to which they transfer personal data are also compliant with the GDPR.
Early action is essential to minimise the risk of a breach when the GDPR comes into force and attracting a potentially huge fine.