It is now less than one month until the General Data Protection Regulation (GDPR) comes into effect and Christian Mancier has answers some of the questions you might still be wondering about.
Will there be a grace period?
The GDPR legislation has no “transitional period”. A “transitional period” is an initial period where the legislation is in force but is not actively enforced. As such once it comes into effect it applies, and can be enforced, immediately. However, the Information Commissioner has indicated that come the 25th May 2018, she wants businesses to demonstrate that they “are on the journey” towards compliance. This implies that smaller non-compliance style infringements are likely to be overlooked and addressed by guidance from the Information Commissioner’s Office (ICO), as opposed to fines, provided organisations can show they have been working towards compliance.
How likely is a Fine?
Accordingly to the ICO most recent annual report for 2016/2017, only 16 fines were issued for breaches under the Data Protection Act 1998. At present only the public sector (under a voluntary code) are obliged to report data breaches. Once this changes under GDPR and the private sector also have to report certain types of data breaches, the number of fines issued will invariable increase. However, the ICO’s approach is very much reserving fines for the most serious and/or large scale breaches, and it is unlikely that this approach will change.
However, there is one school of thought that the first serious large scale data breach post 25th May 2018 May (along the lines of previous breaches such as Facebook, TalkTalk, Sony etc) well result in a significant fine and adverse publicity as a way of laying down a marker that organisations need to take GDPR seriously.
What will the consistency be across the EU?
As GDPR has “direct effect” across the EU, which is to say that it is the same piece of legislation in each EU country as opposed to each country putting in place its own interpretation of a piece of EU legislation as we have currently in respect of the Data Protection Act 1998, this is designed to introduce a degree of consistency across the EU. Whilst there will invariably be differences in approaches across the EU between the various data regulators, where some adopt a far more strict interpretation than others, the scope for this is significantly diminished by the fact each regulator is working with the same piece of legislation.
If you need any assistance in relation to GDPR compliance and implementation, please do not hesitate to get in touch with Christian Mancier from our corporate/commercial department via christian.mancier@gorvins.com or 0161 930 5151