UK businesses that mishandle data could face fines of up to £15.5 million or 4 per cent of their global annual turnover under the EU’s new General Data Protection Regulation (GDPR), which takes effect in 2018.
Regardless of the UK’s recent Brexit vote to leave the EU, UK firms that do business with companies in the EU or have EU customers will be caught by the regulation. Currently, the maximum penalty a UK firm can face for data protection violations is £500,000.
Under the GDPR, any business that holds the data of EU citizens (including EU citizens based outside the EU) will need to report a data breach within 72 hours and explain in their privacy policies how they use customer data. Larger firms will need to appoint a data protection officer and conduct impact assessments detailing exactly how they are using customer data and who can access it.
A two-year transitional period before the legislation takes effect is already underway. Businesses should review their policies and procedures and take legal advice to ensure they do not fall foul of the GDPR.
Are your business’ data protection policies up to scratch?
For expert advice on data protection and the GDPR please contact Gaby Hardwicke Partner Mark Williams: