The two year 'sunrise period' expiring in May 2018 was intended to allow organisations time to prepare for the incoming new law. Unfortunately, the EU Referendum created confusion, with many organisations believing that the GDPR, as a European regulation, would not take effect. However, both the British Government and the ICO have indicated that the GDPR will become law in the UK. The effect is that a quarter of the potential time to prepare for the GDPR has been lost, leaving just over 12 months to achieve compliance.
Risks of non-compliance
The high maximum fines the GDPR would introduce have already been explained. However the risks a non-compliant organisation faces are not limited to financial penalties. The GDPR grants data protection authorities a wide range of powers including the ability to conduct compulsory audits and to suspend organisations' use of personal information. In addition, the UK data protection authority plans to hire an additional 200 employees, expanding its capacity by around 40 per cent, in anticipation of the GDPR coming into force. In practice, this expansion will significantly increase its ability to enforce the new law.
Organisations face an additional risk following a development in the common law, which enables individuals to claim for pure distress (ie no financial loss) where they are affected by misuse of private information. In what is believed to be the first of its kind, an award for damages on the basis of pure distress was made by an Edinburgh court earlier this year, and some commentators believe this paves the way for significant 'class action' type claims against organisations.
How to address the risk
Organisations have just over 12 months to prepare for the GDPR, and must start now if they have not already done so. As a first step they must ascertain the personal data they hold (for example, about their employees, customers and suppliers), and ensure it has been collected and used in accordance with the principles of the DPA and the GDPR when it takes effect. The use of personal information is becoming an increasingly regulated activity, and failing to comply is an increasingly dangerous risk.
James Castro-Edwards is a partner at Wedlake Bell LLP