Privacy regulation in the EU (including the UK) is about to undergo significant change: new laws will come into force next year that will impact any company (even those without a presence in the EU) that operates an EU-facing website to market goods or services to EU-based individuals and/or monitors EU-based individuals, e.g., with cookies or other similar technologies. The changes are far-reaching and will require numerous changes to the way businesses handle personal information. The new law, the General Data Protection Regulation ("GDPR") will come into force on 25 May 2018. Although Brexit is raising some questions regarding how the GDPR will be implemented in the UK, the UK regulator has been clear that the UK will closely follow the GDPR. Independent of how the UK may deal with the GDPR, the GDPR will remain an issue for anyone dealing with people in other EU member countries.
The GDPR will place increased obligations on businesses including:
- a stricter definition of consent, making it harder to obtain and particularly affecting those with EU-based employees
- new laws on profiling, sensitive data handing, data retention and use, which will restrict what companies may do with the data they collect and how they store and handle the data they collect
- new obligations on and liabilities for data processors
- new breach notification requirements
- increased sanctions for failure to comply, which could result in fines of up to 4% of annual turnover or €20 million (whichever is higher)
GDPR compliance will encompass more than establishing new policies; it may require changes in business operations and new technology or changes to configurations of existing technology. Getting ready for GDPR compliance should be a multi-stakeholder process, involving both internal company resources across the organization and external advisers. Although the law will not apply until May 2018, we are advising companies to start preparing now.
Cooley GO
- Introduction to Europe's General Data Protection Regulation
- GDPR – Do I Need Consent to Process Personal Data?
- GDPR – A Guide for Employers
Other Resources
- GDPR (full text)
- Adopting a Lead Supervisory Authority
- Data Portability
- Data Protection Officers
- GDPR: An opportunity ahead?
- Profiling
- Consent
- Consent (Working Committee, December, 2017)
Thought Leadership
- "GDPR Series: Creating and Reviewing Data Protection Policies Part 1 – Internal Facing Policies" – Privacy & Data Protection Journal
- "Employee 'Consent' Under the GDPR" – Thomson Reuters
- "Blockchain Technology May Not be the Best Solution for GDPR Compliance" – CSO
- "The Challenge of Staff 'Consent' Under the GDPR" – People Management
Client alerts
- A Dark Time for Data: WHOIS Blackout Period Likely Starting in May
- GDPR: Guidance on Consent Requirements
- GDPR: Ready or Not, Here It Comes...
- GDPR – Do I Need Consent to Process Personal Data?
- GDPR for Employers
- Introduction to Europe's General Data Protection Regulation
- EU Privacy Q&A – Network and Information Security Directive
- Brexit + Cybersecurity: What You Need to Know
- Brexit + Privacy: What You Need to Know
- Preparing for the GDPR: Advice for Employers
- At Last, Some Real EU Data Protection News: A Welcome Holiday Gift?
Webcast
- GDPR: What you need to know
- GDPR: What you need to know as a venture fund
- GDPR: What you need to know as a life sciences company
- GDPR: What you need to know as an edtech or education driven company or institution
Press comments
- How to Get Ready for GDPR: 2018 Data Protection Changes
- Getting Ready for GDPR
- How to Handle the New US-EU Data Regulations
- GDPR: An Opportunity Ahead?
- Comment: GDPR – An Opportunity for Retailers?
- GDPR: The Good, the Not So Bad and the Opportunities
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.