Home
Internal
published on Mai 15, 2018
This note is part of our series of “Toolkits” on specific key elements of the upcoming EU GDPR (General Data Protection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.
Precisely how the GDPR will be implemented in the UK is currently unclear as the UK legislation is not yet finalised. We nonetheless recommend that a detailed review of data protection policies and procedures are completed ahead of its implementation (and any changes required are implemented ahead of that date too). The GDPR will be implemented in England and Wales through the Data Protection Bill.
The GDPR does not seek to drastically alter the existing UK regime (under Data Protection Act 1998) but it does add important additional proactive requirements for compliance and enhanced data subject rights and protections (as well as creating a more uniform EU-wide regime).
This document is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide advice. If you require any advice please contact us on the contact details provided further below.
The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC). It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.
This note is an overview of the key considerations regarding data breaches and enforcement of the GDPR. This note considers data breaches and enforcement from the point of view of a data controller and will not consider employer/employee relationships or individual data subjects rights. For more information as to a data controllers obligations under the GDPR and individual rights please see our other toolkits.
Data controllers are required to notify their supervisory authority of a personal data breach where the breach is likely to result in a risk to the rights and freedoms of the individual(s). In the UK the supervisory authority is the ICO. In the event of a breach, the data controller should notify their supervisory authority as soon as they become aware of the breach and in any event within 72 hours. If the breach in question represents a high risk to the individual’s rights than the data controller must in most cases also notify the individual. This is naturally a sensitive matter and it is important that it is dealt with appropriately. It is advisable that a data controller has appropriate policies or procedures in place to be able to firstly prevent any personal data breaches and secondly to effectively deal with any personal data breaches quickly and effectively, if they do occur. This note will focus on the duty to notify individuals of a personal data breach.
However, it is accepted that it may be difficult to provide a lot of information within the initial 72 hour window as investigations may still be on-going. If investigations are still on-going than the data controller should provide as much information as possible within the 72 hour window. Any outstanding information should be provided to the supervisory authority without undue delay.
If the data controller does not notify the supervisory authority within the 72 hour window (or provide all of the information) they must provide reasoned justification for this delay.
The GDPR provides supervisory authorities with the power to enforce the GDPR within their territory and to issue penalties for any breach.
It is expected that the Data Protection Bill will require the ICO to publish guidance on how it will exercise Penalty notices, Enforcement Notices and Assessment Notices.
It is expected that the Data Protection Bill will require the ICO to publish guidance on the penalties which may be imposed.
The GDPR specifies that the penalty for a breach of the basic principles of data processing or of a data subjects rights will be up to 20 million EURO or 4% of the organisations total annual worldwide turnover in the proceeding financial year, whichever is higher.
Emma Vickers
Send inquiry
Jan Eberhardt
Partner