The European Parliament has voted through the new General Data Protection Regulation (GDPR), ushering in a new era of data protection laws for UK firms. However, it is likely to be two years before the laws start being enforced.
The GDPR has been crafted after four years of debate and disagreements, but now brings a single, EU-wide data protection law to the statute books with some notable components.
These includes fines of up to four per cent of global turnover for data breaches, and more stringent requirements on collecting and using data for marketing purposes, and enshrines the Right to be Forgotten and data portability for citizens.
Andrus Ansip, vice president in charge of the Digital Single Market at the European Commission, explained that the move will boost economic growth in Europe by giving firms a clearer set of data protection regulations.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all,” he said.
“The GDPR will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”
The law has now been approved but it will be some time before it becomes binding. The European Parliament said that nations have two years to transpose the new laws onto their statute books.
The Information Commissioner's Office (ICO), the UK's data protection watchdog, said the vote was a big step forward for the way organisations will have to protect data.
“Today’s progress marks another step toward data protection reform. It will enhance the data protection rights of individuals and make organisations more accountable."
Phil Lee, data protection partner at Fieldfisher, described the final approval of the new data protection regulation as an “historic” day.
"Europe has adopted its new data protection laws and these will raise the bar right across Europe - and quite possibly worldwide - for the protection of individuals' fundamental privacy rights," he said.
However, Lee added that the new law benefits individuals more than businesses, and that some of the requirements are somewhat onerous on firms.
“Many of the rules introduce significant new burdens for businesses that will be keenly felt for years to come,” he said.
“Whatever else may be said about it, the simple fact is that the global standard for data protection will now be dictated by European rules."
Of course, while the laws have been passed, the UK could leave the European Union after the referendum, which opens up myriad questions about whether UK firms will be affected by the new laws.
The advice from lawyers thus far has been for organisations to start preparing for the new law as if the UK will remain in Europe, rather than playing a wait-and-see game.
Mark Thompson, privacy practice leader at KPMG UK, said any firms clinging to the idea a Brexit leave vote would render the GDPR irrelevant were clinging to "false hope".
“The hope is that the heavy fines and onerous new requirements introduced by the GDPR won’t be applicable to them if Britain leaves the EU. Some might argue that this would be an additional benefit for businesses in the event of Brexit," he said.
“[But] should Brexit happen, the GDPR, or something very close to it is likely to be passed in the UK. The reality is that Britain needs to trade with the EU and trade these days is becoming increasingly reliant on personal information."
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all