Out-Law News | 05 Feb 2018 | 1:31 pm | 3 min. read
The GDPR will apply directly in law across the EU, and to any non-EU businesses processing the personal data of EU consumers where they are directing services at that market, from 25 May 2018. However, aspects of the Regulation need to be supplemented with new national data protection legislation.
The European Commission said that, despite the approaching deadline, just two EU countries "have already adopted the relevant national legislation". One of those countries is Germany, and the other is Austria.
The Commission called on the other EU countries to "speed up the adoption of national legislation and make sure these measures are in line with the Regulation" and further "equip their national authorities with the necessary financial and human resources to guarantee their independence and efficiency".
In new guidance (18-page / 365KB PDF) it has published on the GDPR, the Commission said that EU countries that fail to adopt the necessary national laws in time could face fines.
"It is important to give operators enough time to prepare for all the provisions that they have to comply with," the Commission said. "Where member states do not take the necessary actions required under the Regulation, are late in taking them or make use of the specification clauses provided for under the Regulation in a manner contrary to the Regulation, the Commission will make use of all the tools it has at its disposal, including recourse to the infringement procedure."
The Department for Digital, Culture, Media and Sport (DCMS) said on Wednesday that just 38% of businesses in the UK have heard of the GDPR (9-page . 541KB PDF). According to a survey it commissioned, 80% of large businesses in the UK – those with more than 250 employees – had heard of the GDPR. Just 31% of micro companies – those with between two and nine staff members – are aware of the new Regulation, DCMS said.
More than 1,500 businesses were questioned on the issue as part of the government's annual Cyber Security Breaches Survey, the full results of which are due to be published in April. The survey was carried out between October and December 2017.
Different levels of awareness were recorded across different sectors of the economy, DCMS said.
"The finance and insurance; information or communications; and the education sectors have the highest awareness of GDPR (79%, 67% and 52% respectively)," DCMS said. "These are significantly higher than the average. Meanwhile, construction and the production and manufacturing sectors are among the sectors with the lowest awareness (25% and 27% awareness respectively), significantly less than the average."
"Awareness is higher among businesses reporting that senior managers consider cybersecurity a fairly high or very high priority. Just over two fifths (43%) of those placing a high priority on cyber security are aware, significantly higher than those who say it is a low priority (23%)," it said.
Speaking at the World Economic Forum's annual meeting in Davos, Switzerland, the UK's digital and culture secretary, Matt Hancock, called on companies to "act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill". He urged businesses to refer to guidance produced by the UK's information commissioner to support their work to comply with the new rules.
Information commissioner Elizabeth Denham said: "This is a step change in the law; businesses, public bodies and charities need to take steps now to ensure they are ready. Organisations that thrive under the new rules will be those that commit to the spirit of data protection and embed it in their policies, processes and people."
"The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right," Denham said.
In its new guidance, the European Commission urged businesses that have not already done so to "undertake thorough reviews of their data policy cycle so as to clearly identify which data they hold, for what purpose and on what legal basis". They should also carry out a review of data processing contracts they have in place and further assess their "overall governance" of personal data under their control, it said.
"An essential element in this process is to ensure that the highest level of management is involved in such reviews, provides its input and is regularly updated and consulted on changes to the business’s data policy" the Commission said.
"To this end, some operators make recourse to compliance checklists (either internal or external), seek advice from consultancies and law firms and look for products that can deliver on the requirements of data protection by design and by default. Each sector must work out arrangements that are appropriate to the specific nature of its area and are adapted to their business model," it said.