The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes EU member state implementations of the 1995 Data Protection Directive (DPD).
The UK Data Protection Act 1998 (DPA) will be superseded by a new DPA that enacts the GDPR’s requirements. The new law marks a wide-reaching and significant shift in the way that organisations must protect personal data.
It grants data subjects a number of new rights, including the right to judicial remedy against organisations that have infringed their rights, and requires organisations to adopt “appropriate technical and organisational measures” to protect personal data. It also introduces mandatory data breach reporting.
Penalties under the GDPR
The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency.
Brexit
UK organisations handling personal data will still need to comply with the General Data Protection Regulation (GDPR), regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.