A major shake-up of EU protection laws must be implemented by businesses – regardless of whether or not the country votes to leave the European Union today.
Leading commercial lawyer James Pressley from Kirwans law firm is urging businesses to ensure that their data protection policies comply with the new General Data Protection Regulation (GDPR), which aims to strengthen the rights individuals have over their information and make companies take the issue of data protection far more seriously.
The extensive set of laws will apply to any business that handles EU citizens’ data – whether it’s actually based in Europe or not.
And any breach in procedure could see them facing penalties of up to €20 million.
James said: “Many businesses seem to believe that if we vote Leave we’ll be able to cut through this red tape.
“But under the existing EU Treaties, even if we left the EU as quickly as possible, the earliest leaving date would most likely be June 24th, 2018. Under existing EU law, the GDPR has to be implemented into UK law no later than May 25th, 2018. That means that there would be an overlap of, at the very least, a month, where businesses who hadn’t implemented the new policies would be extremely vulnerable.“
In addition, James explains, even if the UK leaves the EU, we will still want to trade with it. However, one of its laws states that data cannot be transferred out of an EU country to a country which has ‘inadequate’ safeguards for personal data.
“The bottom line is, we are going to need to be able to prove to the EU that we have ‘adequate’ safeguarding in place for data. Or, in other words, the GDPR. So whether we vote to remain or leave, if we want to continue trading with Europe we simply have to have these policies in place.“
One example of where the new EU GDPR applies is the tick boxes that appear when buying from a website. Under the old law, the website could have a box ‘pre-ticked’ next to a statement saying that they could contact the consumer with offers, and the customer would have to ‘un-tick’ that box not to receive those offers. Under the new law, that box cannot be ‘pre-ticked’ – the consumer has to choose to tick the box themselves.
James said: “The new regulation is extremely complicated, and most companies will need to seek specialist advice to ensure that the have the right policies and procedures in place as, if they don’t, the Information Commissioner’s Office has the power to fine them up to €20 million.“
Five GDPR facts every business needs to know
1) Businesses must inform the Information Commissioner’s Office (ICO) of any data breach within 72 hours of it taking place;
2) The ICO will have powers to fine businesses up to €20 million, or 4% of turnover, whichever is greater, for breaches and non-compliance;
3) Businesses should seek specialist advice to make sure they have policies, procedures and personnel in place to deal with data breaches, or risk being non-compliant;
4) Businesses must enable consumers to have their data deleted as easily as it was collected from them;
5) Websites can no longer leave it to consumers to ‘opt out’ of having their data used for marketing. The new law will mean consumers must actively ‘opt in’ to their data being used in this way.