Data has become the most valuable commodity of the digital era. In Europe, the value of the data economy is thought to be around the €50 billion mark and projections suggest that this figure could rise to €111 billion by 2020.
With such rapid development in the collection, transfer and processing of data comes not only increased risk of data breaches, but the risk that those breaches will be of a far greater scale and consequence. It is no wonder then that the EU has seen fit to implement a new data protection framework.
The General Data Protection Regulation (GDPR) is to replace the current European Directive and will be directly applicable in all member states from 25 May 2018, replacing the Data Protection Act 1998 in England and Wales.
What will its introduction mean for business owners? Our upcoming series of briefings will take a look at some of the main changes imposed by the GDPR and consider how UK organisations can prepare themselves for May 2018.
As if the GDPR itself were not enough of a concern, organisations also need to take account of, and comply with, the Privacy and Electronic Communications Regulations (PECR) which are already in force; they create extra rules, and provide additional rights for individuals, in relation to electronic communications.
Who is liable under the GDPR?
The GDPR retains the familiar concepts of data controllers and processors:
“Controller” – is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
“Processor” – is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
That said, the GDPR imposes major differences in both the obligations of each and the relationship between them.
Under the current regime (Data Protection Directive 95/46/EC) only data controllers can be held accountable for any breach. The GDPR, however, will place data processors under a direct obligation to comply with significant elements of the GDPR. A processor must, for instance, have appropriate systems in place to ensure an appropriate level of data security is maintained and will have to keep written records of all data processing activities carried out on behalf of a data controller.
Data controllers and processors alike must now also be concerned by vastly increased financial penalties and potential liability for damages if found to have infringed the GDPR. As well as extending liability to processors, the GDPR adds a further layer of obligation in relation to security by requiring that data controllers may only select processors “providing sufficient guarantees…that the processing meets the requirements of the GDPR”.
Where both data controller and processor are held to be responsible for a data breach, they may be held jointly and severally liable under the incoming regime.