Privacy regulation in the EU (including the UK) is about to undergo significant change: new laws will come into force next year that will impact any company (even those without a presence in the EU) that operates an EU-facing website to market goods or services to EU-based individuals and/or monitors EU-based individuals, e.g., with cookies or other similar technologies. The changes are far-reaching and will require numerous changes to the way businesses handle personal information. The new law, the General Data Protection Regulation (“GDPR”) will come into force on 25 May 2018. Although Brexit is raising some questions regarding how the GDPR will be implemented in the UK, the UK regulator has been clear that the UK will closely follow the GDPR. Independent of how the UK may deal with the GDPR, the GDPR will remain an issue for anyone dealing with people in other EU member countries.
The GDPR will place increased obligations on businesses including:
-
a stricter definition of consent, making it harder to obtain and particularly affecting those with EU-based employees
-
new laws on profiling, sensitive data handing, data retention and use, which will restrict what companies may do with the data they collect and how they store and handle the data they collect
-
new obligations on and liabilities for data processors
-
new breach notification requirements
-
increased sanctions for failure to comply, which could result in fines of up to 4% of annual turnover or €20 million (whichever is higher)
GDPR compliance will encompass more than establishing new policies; it may require changes in business operations and new technology or changes to configurations of existing technology. Getting ready for GDPR compliance should be a multi-stakeholder process, involving both internal company resources across the organization and external advisers. Although the law will not apply until May 2018, we are advising companies to start preparing now.
[View source.]
