How your business can avoid a €20m data protection fine

Kitty Rosser, associate at Birketts LLP

Kitty Rosser, associate at Birketts LLP - Credit: Archant

With the possibility of fines of up to 4% of a company's turnover the upcoming EU data legislation – the General Data Protection Regulations (GDPR) – is set to become a major factor for many businesses.

We asked Birketts associate Kitty Rosser what firms needed to bear in mind.

Q. What is GDPR?

A. GDPR is a new European regulation which comes in to effect on May 25 2018.

When it comes fully into effect it will be quite significant as it completely replaces our current data protection laws. The idea is to bring our laws up to date with technological development.

Most Read

Q. What does it mean for businesses?

A. We will have to adapt to an entirely new data protection regime. In particular there are quite high new standards of transparency and accountability about how data is recorded, kept and processed. There will be a greater level of detail about how companies will use the data they collect.

Q. Will it make much difference?

A. The single biggest change is to the level of fines which can be imposed.

Fines will be increasing from €500,000 to a maximum of €20m or 4% of global turnover. For most businesses fines at this level will mean data protection is no longer an issue they can afford to ignore, which some seem to have been doing.

We [Birketts] are already seeing businesses engage with this in a way we haven't previously.

Q. Who will be affected?

A. Any business which collects data, particularly when they are providing an online service.

A number of businesses that fall outside the current laws will be affected and businesses outside the European Union which collect data from European customers are going to be as affected by the regulations.

The law is based around where the consumer is rather than the business.

Q. What kind of businesses will be most impacted?

A. There are very stringent rules for businesses which provide and analyse data for other businesses.

Businesses which collect data from children are going to have to provide a model of what they are doing with that data in a way children can understand. Some may even need to gather parental permission and to prove that permission is genuine which could be very difficult to do.

Q. What about small tech firms?

A. This will be a major issue. There is concern about how they will find out about it and how they go about complying with it.

They have 18 months before it comes into effect and it could take that long to make the adjustments so it is important they are aware of the changes.

Q. What are the costs involved?

A. A lot of numbers have been bandied around but the figure being given by the Ministry of Justice is a total cost of £320m for UK businesses.

Q. Why is this needed?

A. Our current law is more than 20 years old and in that time technology has changed so much, in particular the way personal data is collected and used.

The new law is trying to be 'technologically neutral' so that, hopefully, it is still relevant in the future.

Q. But didn't we vote to leave the EU?

A. It is becoming increasingly apparent that we are not going to have left the EU before May 2018 when these laws come into effect.

That means businesses here will have to comply with the laws.

Most commentators expect the UK will adopt equivalent legislation when we do leave the EU.

If businesses are operating in the EU they will need to comply anyway and so it can be considered an investment in the long term.