The General Data Protection regulation (the ‘GDPR’) will introduce a number of changes, including an expanded territorial reach of its provisions, increased rights for data subjects and a re-balancing of the liability and risk attributed between data controllers and data processors.
Whilst the Data Protection Directive had to be enacted through UK legislation to take effect, the GDPR will apply directly and immediately from 25th May 2018. It is strongly recommended that organisations, both data controllers and data processors, prepare well in advance for the forthcoming changes.
Much of the Data Protection Act 1998 (enacting the EU Data Protection Directive 95/46/EC) carries over into the spirit and wording of the GDPR. In the following table we set out a summary of the principal changes and new obligations affecting data processors. The table highlights key issues to be considered by ‘processors’ before carrying out data processing activities under the new regime.
The impact of Brexit
Article 50 has now been triggered and the formal process of the UK’s exit from the European Union set in motion. Nonetheless, the timing of the GDPR means that it will come into effect well before the UK’s eventual exit from the EU, the latter due to take place in March 2019. The GDPR will apply in this timeframe and potentially beyond, with the UK likely to transpose a great deal of European legislation directly into domestic law. Additionally, whether the GDPR is brought into UK law or not, non-EEA (European Economic Area) organisations, including those in the UK and elsewhere, will still be caught by the GDPR if they offer goods and services to companies in the EU or monitor the behaviour of EU data subjects.
To read a full review of the GDPR then please view our information sheet on the new regulation here.
For further information regarding the GDPR, please contact: