The long awaited EU General Data Protection Regulation (“GDPR”) was approved by the EU Parliament in 2015 and will come into force in May 2018. It applies directly to all EU member states and will have significant implications for commercial organisations conducting business within the EU. The GDPR;
- creates a pan-European data protection board;
- requires mandatory notification of data breaches “without undue delay” and where feasible, within 72 hours in many cases whilst providing guidance on when an organisation must notify a breach to regulators and data subjects;
- creates a tiered sanctions regime with fines for a breach of up to 4% of the offenders global annual turn over;
- applies to all organisations conducting business in Europe, regardless of whether they are domiciled within the EU, with many organisations needing to appoint a representative within the jurisdiction of the EU; and
- enshrines in legislation the principle of the “right to be forgotten.”
How the GDPR will apply once the UK has concluded the negotiations surrounding its exit from the EU is uncertain. The Government may choose to implement the regulation simply as a robust and desirable form of protecting the data of UK citizens or in order to demonstrate regulatory equivalency for the purposes of accessing EU markets. Those businesses conducting business within the EU from the UK are likely to need to comply with the Regulations regardless of whether they are adopted by the UK upon exit.
It also remains to be seen whether or not the UK will continue to benefit from the recently negotiated EU/US Privacy Shield.
What is clear at this stage is that the UK’s exit from the EU is unlikely to be finalised prior to the GDPR coming into force and businesses will need to continue their preparations for its introduction.
Information and data security is nothing new to business and insurers. However, with advancements in technology such as drones, autonomous vehicles, ‘the internet of things’, and the increase in use of social media, the benefits of the digitisation of our data sit along side potential perils and keeping a very close eye on this area as things develop is essential.