The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.
For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the “whole of business” issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance
The post below was first published on our Employment blog
Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA.
In line with previous declarations, the position paper outlines the Government’s desire to maintain the “frictionless” movement of data to and from other countries within the EEA. It cites the economic benefits for the UK and EU as well as cooperation in respect of law enforcement matters (such as serious crime and terrorism).
The position paper sets out the Government’s preferred outcome in three key areas:
- An EU adequacy decision in relation to the UK’s post-Brexit data protection legislation;
- The continued input of the UK data regulator (the Information Commissioner’s Office (the “ICO”)) in the EU’s regulatory dialogue; and
- Interim arrangements, from the point of Brexit to the time when more permanent measures have been put in place, to maintain stability and consistency. Continue reading
On 18 July 2017 the House of Lords European Union Committee (the “Committee“) published a report covering the impact of Brexit on four aspects of the EU Data Protection Package:
- the General Data Protection Regulation (the “GDPR“) which will become directly applicable in all EU member states with effect from 25 May 2018. A Data Protection Bill is expected to be introduced by Parliament after the summer recess.
- the Police and Criminal Justice Directive (the “PJC“) which EU member states must transpose into national law by 6 May 2018;
- the EU-US Privacy Shield which enables personal data transfers from the EU to the US for commercial purposes and replaced the previous Safe Harbour international transfer mechanism to the US; and
- the EU-US Umbrella Agreement which establishes a common framework for the protection of personal data transferred between the EU and the US for criminal law enforcement purposes.
The European Commission published its first draft of the EU General Data Protection Regulation (“GDPR“) in January 2012, which set out a comprehensive reform of the current existing EU regime. The reform was designed to give citizens more control and protection over their personal data. In April 2016, the final text of the GDPR was formally approved.
The GDPR then entered into force on 25 May 2016 with a two year implementation period before it comes into effect. This period gives organisations until 25 May 2018 to prepare for the new rules to apply. Continue reading