On 25th May 2018, the General Data Protection Regulation (GDPR) comes into force, replacing the Data Protection Act 1998 (DPA).

The new regulations include a number of important changes to the rules governing personal data and businesses are expected to be fully compliant by that date.

Why should my business care?

One word: Penalties!

The penalty will depend on the type of breach that has occurred and will be levied on a two-tier basis as follows:

• Up to 10 million Euros or 2% of annual worldwide turnover of the preceding financial year (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default; and
• Up to 20 million Euros or 4% of annual worldwide turnover of the preceding financial year (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects' rights and international data transfers.

Although this may not necessarily mean higher penalties in practice for most data breaches (as the severity of the breach and any action taken to correct it will always be taken into account), these increased sanctions will undoubtedly lead to a much sharper focus on compliance.

In addition to the imposition of fines, the Information Commissioner's Office may choose to conduct audits, review certifications, issue warnings and reprimands to controllers and processors that have breached GDPR and impose limitations and restrictions around the breaching party’s ability to process data.

Reputational damage could also be significant.

In part two of our GDPR update, we'll look at some of the most significant developments you should be aware of.

If you have any questions or queries about this or any other employment issue, please get in touch with a member of our Employment Law team.