The reform of personal data protection laws within the EU is one of the most significant pieces of legislation the EU has produced in recent years. Coming as it does in times of increasing cyber security threats, increasing cyber crime and increasing use of digital storage systems for personal data, the implementation of the new data protection regime and the compliance of organisations with it is to be welcomed. The new data protection framework will provide a key part of improved systems and procedures to help counter these threats.
Final approval of the new EU data protection regulation occurred last year. The new General Data Protection Regulation (the “GDPR”) will come into full force and will be directly effective across the EU on 25 May 2018.
The GDPR introduces not only a broader scope and territorial reach of the EU data protection regime but also several other significant regulatory changes. As a result, organisations across the EU and indeed beyond its borders that process personal data of individuals within the EU need to start reviewing their policies, processes, systems and documentation now to ensure that both they, their suppliers, any related data controllers and data processors will be fully compliant by 25 May 2018.
While there are significant financial consequences resulting from non compliance (due to significantly increased levels of maximum fines for non compliance) it is the reputational damage and bad publicity that arises from data protection breaches that many organisations will be keen to avoid. Organisations taking a thorough and timely approach in reviewing their policies, processes, systems and documentation still have time to ensure full compliance with the new data protection regime if they start implementing a compliance exercise now.