Major far-reaching changes are coming into effect in the area of data protection law on 25 May 2018 – resulting from the EU ‘General Data Protection Regulation’ (GDPR). Here are Centrefield’s “five thoughts” on the GDPR:
#1. Increased Fines – the GDPR will ‘raise the stakes’ in terms of the financial impact for failures to comply with data protections laws – increasing the maximum fines on a two-tier basis depending on the nature of the breach: up to 2% of annual worldwide turnover or €10 million (whichever is the greater) or up to 4% of annual worldwide turnover or €20 million (whichever is the greater).
#2. Tougher Obligations – as well as introducing statutory obligations on data processors for the first time, the GDPR also places more onerous accountability obligations on data controllers than the current regime, including requirements to carry out data protection impact assessments, implement data protection policies, report breaches within short timeframes and (where applicable) appoint a nominated ‘Data Protection Officer’.
#3. Rights of individuals – in line with the GDPR’s objective to put individuals ‘in control of their data’, it creates some new rights for individuals and strengthens some existing ones, for example: the right to be informed (typically through a privacy notice), the right of access to personal information (organisations will have less time to comply with a subject access request); the right to restrict and object to data processing; and the right to erasure (also known as ‘the right to be forgotten’).
#4. Consent – will be harder to obtain. Silence, pre-ticked boxes/requirements to opt-out or non-specific/‘blanket’ consent will no longer suffice as consent must be “unambiguous”. Importantly, consents already obtained from individuals may be sufficient but only if they meet the new requirements. If not, then you will need to obtain consent afresh – which could be a major task for many data controllers.
#5. Impact – the new regime is likely to have a significant impact on the sports and media world, particularly those entities which collect individuals’ personal information (whether through websites, apps, social networks or otherwise) for any purpose such as for ticketing/hospitality/events, creating a ‘fan’/‘member’ database and sending newsletters and updates etc. Whilst there is just over a year until the new rules go live, the nature and scope of the new regime means that now is clearly the time to review your organisation’s current data protection practices and procedures and to put in place an action plan to ensure you will be ‘GDPR ready’ on 25 May 2018.
If you would like any more information on any of the points raised above or any advice in connection with data protection matters, please contact David Bentham (Partner) or Deirdre McCarthy (Associate), or call 0161 672 5450.
Please note the information contained in this briefing is intended as a general review of the subject featured and is not intended as specific legal advice.