The EU's new General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union on 4 May 2016, meaning that it will directly apply in all EU member states from 25 May 2018.
The Regulation will make major changes to the data protection regime and introduce greatly increased financial penalties for non-compliance. From a pension scheme trustee perspective, some key changes to note are:
- New requirements relating to obtaining consent to the processing of personal data, with a requirement for an affirmative action in order for consent to be given. It must be as easy to withdraw consent as it is to give it;
- Enhanced enforcement rights including the ability of regulators to levy fines of up to 20 million Euros and greater enforcement rights for individuals whose data is being processed.
- As well as imposing more stringent requirements on data controllers, the Regulation introduces direct compliance requirements on data processors; and
- New requirements to report data protection breaches.
Clearly the uncertainty over the outcome of the EU referendum on 23 June means there is uncertainty over the extent to which the Regulation will have direct effect in the UK in the long-term. However, the Regulation's reach extends to data controllers and processors outside the EU where the data of EU citizens is being processed, so whatever the outcome of the referendum, trustees will need to consider whether there are measures which they need to take in order to ensure they are compliant with the Regulation from 25 May 2018.
One possible consequence of a Leave vote in the referendum is that it could become harder to transfer data between the UK and Europe (including to data centres located outside of the EU), as parties transferring data to the UK may need to make sure there are adequate legal safeguards in place, where previously they could have relied on there being free movement of data within the EU. The UK might have to pass new legislation enacting the GDPR provisions into English law to avoid this and further safeguards might also be needed to protect individuals' rights.