The General Data Protection Regulation

The General Data Protection Regulation will finally arrive in May 2018. It marks the biggest shake-up to EU data protection laws for 20 years.

While many of the core data protection obligations remain the same, the Regulation imposes a wide range of new requirements. Businesses will have to provide individuals with new privacy notices and upgrade contracts with suppliers who process personal information on their behalf. Added to this is the mandatory appointment of data officers (in some cases), mandatory privacy impact assessments, and new rights to data portability and to be “forgotten”.

The new regime will be backed up by a step change in sanctions with fines of up to €20m or 4% of annual worldwide turnover. The GDPR is an EU regulation and therefore it will apply directly to the UK, and other Member States, from 25 May 2018. The UK could diverge from the Regulation and introduce its own data protection laws after Brexit. However, this seems unlikely and the Government has said the UK’s data protection laws will remain aligned to the Regulation.

This is, in part, to allow the free flow of personal information between the EU and the UK after Brexit. The optimum solution would be for the EU to find the UK “adequate” for data protection purposes – in other words, allow the continued free flow of personal data on the basis that the UK’s data protection laws will properly protect that data. In the absence of such an “adequacy” finding, other mechanisms will be needed to allow the transfer of personal data to the UK after Brexit, such as signing up to the so-called Standard Contractual Clauses (a standard form data transfer agreement approved by the EU Commission).

Access our guide to the GDPR containing answers to frequently asked questions, checklists and everything else you need to get to grips with this new law. You can also access our at-a-glance-guide and "to do" list, to help you prepare.