2018 – the Year of GDPR
With the festive holidays behind us and a new year ahead, many will have prepared new year resolutions. Some will want to lose weight and get fit, while others will pledge to learn a new language or musical instrument.
But what should a company resolve to do in 2018? If they trade with or in the EU, top of their list must be meeting the new data protection laws from the EU, the General Data Protection Regulation (GDPR), which takes effect from the 25th May 2018. The rules cover any organisation in the world which works with the data of EU citizens and the fines are potentially huge, at the greater of €20m and 4% global turnover. Add to this mix that the European courts have historically been willing to impose large fines on companies near and far – Facebook and WhatsApp have both faced significant EU fines in multiple countries.
Hopefully, most of those companies will have received a Data Protection Officer from Santa, who has himself now become a potential GDPR target; as a result of listing whether individuals are naughty or nice, Mr Claus has likely made himself the data controller of a particularly sensitive set of personal data!
With their new DPO, or hopefully someone who has been able to shake off the new year malaise, these companies can look forward to getting the necessary protections, consents and appointments in place, to make sure the data of their customers and monitored subjects is protected.
2018, the Year of GDPR, could easily follow a pattern along these lines:
Up to 25 May – the level of concern in companies will slowly rise to panic, depending on the extent to which that company has prepared
26-31 May – much relief is experienced by over-stressed Data Protection Officers, as the world fails to end
June and after – EU data protection authorities and data activists are permitted to file GDPR non-compliance cases against data controllers and processors
The EU has offered assurances that GDPR is a carrot and not a stick, designed to encourage the strongest ideals of personal data privacy within companies. However, EU courts will be obliged to follow through with cases brought by data subjects themselves, so there is plenty of chance for wronged persons (or disgruntled / opportunistic individuals) to bring legal action against companies inside and outside of the European Union.
Whatever the Year of GDPR brings to you, all the best from DPR Group!
There is still a lack of understanding in many non-EU companies around what GDPR is, and what it means for them. DPR Group was established to help companies outside the EU meet their obligations under GDPR, particularly the obligation on a company to appoint a Data Protection Representative if they don’t have a base in the EU (Article 27) – note that this is a different obligation with different criteria to the DPO requirement.