The General Data Protection Regulation is in its final phase of implementation and will become law in all EU Member states in May, 2018. I recently took part in a Roadshow with Norton Rose where we talked to legal and IT representatives from leading European companies about the implications of GDPR on their business.
Here are my thoughts on the what is most relevant for the CEO:
1. Fines for non-compliance are up to 4% of Global Turnover
The maximum fines for non-compliance with the new regulation are the higher of €20m or 4% of the organisation’s worldwide turnover.
This will certainly focus the mind for most companies in terms of the priority they place on the need to achieve compliance.
2. GDPR will become law on 25th May, 2018
European Law broadly takes two forms, Directives and Regulations. Directives are issued by European Parliament and must then be enshrined in the Laws of each member state by implementation in local legislation. This typically leads to a level of inconsistency in the application of the law and also increases lead times to its implementation.
Since GDPR is a Regulation law it will become legally binding in all member states once implemented by the European Parliament.
3. Brexit won't affect your compliance obligations
Brexit is likely to be irrelevant for most companies in terms of their GDPR compliance obligations. If your business operates in Europe then compliance with GDPR will be required, irrespective of the future relationship that Britain has with the European Union.
Whilst GDPR will not directly apply to the UK post Brexit, the Information Commissioner’s Office (ICO) has emphasised that the UK will need to prove ‘adequacy’ if it wants to trade with the single market on equal terms. In practice this means that the UK is expected to mirror the EU's data protection legislation meaning that a need to achieve compliance with the new regulation is likely either way.