New Data Protection Regime Part 1
The following blog in two parts was written by our research student, Shaun McPhee
The General Data Protection Regulations (GDPR) are a radical shake-up of EU data protection law, which entered into force on 25 May 2016. This aggressive piece of legislation attempts to regulate the control of EU residents’ data, far beyond the borders of the EU, and more strictly than ever before. The effects will be felt by diverse businesses worldwide, with those businesses in ecommerce, healthcare (including ehealth), and big data being particularly affected.
Whilst the GDPR will not actually be enforced until 25 May 2018, it imposes onerous obligations on data controllers and processors, which should be planned for well in advance. Penalties are increasing from a maximum of £100,000 (in the UK) to the greater of €20m (£17m) or 4% of global turnover – numbers which deserve serious attention, even from those businesses with robust privacy protection in place.
Unlike previous data protection rules, the GDPR apply to all EU organisations, as well as to non-EU organisations which offer goods or services to, or monitor behaviour of, individuals within the EU. This means that many organisations not currently subject to EU data protection requirements, will soon become so.
The rules cover all data controllers and processors ‘established’ in the EU, where personal data is processed ‘in the context of their activities’. The European Court of Justice has previously interpreted ‘established’ broadly, in the context of data protection, covering “any real and effective activity – even a minimal one”. Even those organisations with a tiny EU presence will be required to comply in full.
The second part of this blog follows