Last reviewed 28 February 2018

GDPR — it’s been in the news and on websites, discussed on social media for months, but what does it mean? Crucially, what do companies who trade internationally need to do? Tim Hiscock reports.

What is the GDPR?

GDPR is the General Data Protection Regulation (2016/679), a new EU privacy law that comes into effect from 25 May 2018. There are two misunderstandings we need to dispense with straight away.

First, even though the UK has voted to leave the EU, and Article 50 has been invoked, signalling the country’s formal intention to leave, this law still applies to UK companies from the effective date.

Second, this EU initiative is a regulation, meaning it has direct effect. It does not need approval by Parliament.

So GDPR is coming, and it potentially affects every business and organisation that holds or processes people’s personal information. The purpose of the regulation is to give EU citizens (individuals, not corporations or other organisations) the right to understanding and control over their personal data and how it is recorded. It gives individuals the right to demand that their data be “forgotten” (deleted). For non-EU companies holding information about EU citizens, there is an obligation to appoint a representative in the EU, whose responsibility is to ensure the requirements are complied with.

The new legislation will be more stringent on the issue of consent to share the information. The organisation will need to be able to show that consent was willingly given and that there was a clear choice. This is one of several areas where the legislation appears to go much further than the 1995 Data Protection Directive did (which the new regulation is designed to replace).

Seven principles

The GDPR is based on seven principles, which are intended to protect individuals from misuse of personal data. The seven principles state that data:

  1. is processed fairly and lawfully

  2. is collected for a specific purpose and only used for that purpose

  3. is not excessive in relation to the purpose

  4. is accurate and kept up to date where necessary

  5. is not kept longer than necessary

  6. is processed in accordance with the individual’s rights

  7. is not used for unauthorised or unlawful processing, and that appropriate measures are in place to guard against such misuse and against accidental loss.

The potential penalties for non-compliance are onerous. The maximum fine for the most severe infringements is either 4% of global turnover or €20 million (£17.5 million), whichever is the greater. Despite this, the initial signs are that only a minority of organisations expect to be compliant with the requirements by the date of enforcement.

Who does GDPR affect?

Every business that retains, shares or processes personal data, whether for employees, customers or job applicants, needs to consider their preparations for the new regime and take appropriate advice. The requirements will vary according to organisation and sector, but in all cases it’s vitally important to act now.

For exporters and importers, the impact of the legislation will vary according to whether the business transacts mainly with other businesses or with individuals (B2B or B2C). But even those that don’t sell to individuals will need to consider the impact because records about employees and job applicants will also need to comply.

The international trader also needs to consider the countries with which it does business, and whether the regulations need to affect the way that business is conducted, particularly where it involves the sharing of personal data. The EU recognises the compatibility of regulations in all EEA countries (the EU 28 countries plus Norway, Iceland and Liechtenstein). In addition, the EU recognises that certain other countries have data adequacy. So far, the list of such countries is quite short, comprising Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA (*limited to the Privacy Shield Framework). These countries are deemed to have adequate legislation to comply with the GDPR regulations. Negotiations are ongoing with Japan and South Korea.

Action points

Immediate action points should include the following (but may not end there).

  • Consider the amount of personal data the organisation holds. First, it’s worth considering whether it’s worthwhile holding all such information. For some, the cost of compliance is going to be significant, so it’s obviously worth at least reviewing the extent of data held, and whether it’s appropriate.

  • If your organisation holds large amounts of data, consider whether it’s beneficial to appoint a data protection officer. For some, this will be a legal requirement, but even where it isn’t, the creation of the role (and appointment of a suitably qualified and experienced individual) might be beneficial.

  • Larger organisations should create a cross-department working group to understand how personal data is used and stored throughout the business.

  • Carry out a privacy risk assessment. This will involve assessing the points where sensitive data is stored, used and transferred. Companies operating internationally need to give special attention to points where data crosses national borders and how the privacy is protected.

  • Identify key issues in achieving compliance and produce an action plan.

  • Seek specialist advice. As the impact will be different according to sector, your trade association or professional body may be a crucial source of tailored information and guidance.

  • Ensure that your information storage and archiving systems are designed to make it as simple as possible to meet requests from individuals.

  • Review your website access and security systems. Seek external, professional advice where required.

As mentioned already, the UK’s imminent departure from the EU doesn’t relieve UK companies from the obligations of this regulation. Even after the UK has fully departed the EU, it seems likely that the level of trade will mean that the UK Government will seek to achieve the same data adequacy as the countries listed above have done because to fail to do so would make much business activity more complex and subject to formal approval. So, there is a very strong likelihood that something very similar to GDPR will be imposed and remain in place for the foreseeable future.

This article is intended only as a general guide to the GDPR and should not be taken as legal advice. If you think you may be affected by the new legislation, you should seek appropriate professional advice.

Note:

*The EU-US Privacy Shield Framework was adopted in 2016 and protects the rights of EU citizens whose data is transferred to the USA for commercial reasons. The framework places obligations on companies receiving such data to adequately protect it and provides right of redress for individuals when there is a breach of the rules.