In May 2018, Europe’s laws on data protection will undergo fundamental changes to allow individuals to regain control of their personal data. The reforms will also put an end to the patchwork of data protection rules that currently exists in the European Union.

The General Data Protection Regulation (GDPR) will establish a single set of rules providing clarity and consistency across the EU member states. Multinational companies will only have to deal with one single supervisory authority where their main establishment is located, rather than a possible 28 different countries’ authorities, making it cheaper and simpler to do business in the EU. Any company established outside of the EU but offering goods or services within the EU will have to comply.

The reform is part of the EU’s efforts to allow consumers and businesses better access to digital goods and services, while enabling digital networks and services to flourish. With 72% of Internet users in Europe worried that they are being asked for too much personal data online, according to the European Commission, it is vital that the law provides robust safeguards and reinforces individuals’ rights. These will include:

  • A “right to be forgotten”: Provided that there are no legitimate grounds for retaining it, the data will be deleted upon the individual’s request.
  • Easier access to one’s data: Individuals will have more information on how their data is processed and this information should be clear and understandable. A right to data portability will make it easier for individuals to transmit personal data between service providers.
  • The right to know when one’s data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches that put individuals at risk and communicate all highrisk breaches as soon as possible so that users can take appropriate measures.
  • Data protection by design and by default: Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm — for example on social networks or mobile apps.
  • Stronger enforcement of the rules: Data protection authorities will be able to fine companies that do not comply with EU rules up to 4% of their global annual turnover or up to €20m ($22m).

Getting ready. Following the referendum vote in the UK on 23 June, 2016, to leave the EU, it is possible that the UK will have formally withdrawn its membership of the EU by the time the GDPR comes into force, or shortly thereafter. While the UK remains a member of the EU, the GDPR will be directly applicable to businesses operating within the UK. Once the UK leaves, it will not be obliged to implement the GDPR, although any organisation doing business with the remaining EU member states will come within its remit.

It is also the case that even outside the boundaries of the EU, the UK will come under pressure to adopt the rules contained in the GDPR to ensure that personal data can transfer freely between the UK and EU, without relying on the cumbersome mechanisms agreed between the EU and the US in the form of the Privacy Shield.

The UK’s Information Commissioner’s Office (ICO) provides a checklist of 12 steps that businesses can take to prepare for the new law. The first of these is to raise awareness within the organisation of the changes that need to be made and the impact on the business of a failure to comply. In the words of the ICO, “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU”.

By reviewing processes, procedures and security measures currently in place, businesses likely to be affected can design and effect a plan of action for complying with the GDPR or similar laws ahead of 2018, with minimal disruption to the business. z