The new GDPR laws are about to produce another seismic shift in the data protection landscape, writes Hannah Solel
If you thought MiFID II was the last regulatory change for a while, prepare for disappointment: meet the EU General Data Protection Regulation (GDPR), which comes into force in May. It certainly has people talking. ‘It will be a game changer, no question about it, because of the very substantial fines that can become payable if companies get it wrong,’ states Geraldine Proudler, head of reputation and media litigation at CMS.
So what is it? It’s broadly threefold. Firstly, the GDPR paves the way for a possible avalanche of access and ‘right-to-be-forgotten’ erasure requests; these may prove time-consuming. Secondly, it obliges organisations to devise data protection impact assessments – not necessarily what companies, toiling amid the uncertainty of Brexit, want to be doing in 2018. And in among it all is that spectre of fines – up to £17 million or 4 per cent of annual global turnover – if data breaches aren’t reported within 72 hours. That’s steep.
Magnus Boyd, a partner at Schillings, reckons ‘there will be some scapegoats, some guinea pigs’ and that the ‘first, most serious breaches are going to attract some big fines’. Dominic Crossley, who heads the media litigation team at Payne Hicks Beach, is also in the alarmist camp: ‘If businesses have not started preparing for the impact of the GDPR now, they are likely to be in for a shock.’
Howard Kennedy’s Mark Stephens concedes that while the legislation will give ‘greater… control to individuals, my concern lies where crooks and brigands use, and… abuse, the process’. Stephens is particularly worried about nefarious data requests aimed at uncovering information sources.
But the legislation will also be a powerful weapon to defend privacy. David Engel, head of reputation at Addleshaw Goddard, explains: ‘People will have potentially quite strong rights to get websites to take material about them down. That could be really helpful because you don’t have to worry about whether it’s confidential, private, [or] defamatory.’
Reputation-wise, it could work both ways. ‘Data loss isn’t now just a regulatory issue, it’s a reputation issue as well,’ says Boyd, ‘and that’s only going to get worse when the GDPR comes into force.’ So once again, the legislation seems mixed for HNWs.
Indeed, the breadth of prediction – not to mention the sheer range of issues the legislation raises – is suggestive of a big shift. Be prepared, then, and call that compliance meeting sooner rather than later.
Hannah Solel is a writer and researcher at Spear's Magazine