Is the General Data Protection Regulation (GDPR), technically, in force in UK law already?
According to at least one expert, organisations could face stiff GDPR-scale fines after May 2018 for security breaches that occur before the 25 May 2018 deadline - and those fines could be as high as four per cent of global annual turnover.
Speaking at a recent event held by V3 sister site Computing, Bridget Kenyon, head of security at University College London, warned that the GDPR is already in force, in her opinion.
"Actually GDPR is in force now, but what's not in place yet is the penalties," said Kenyon. "So if there's a breach now, the ICO could hold on to it and give you the penalties in May 2018," she suggested.
V3 has spoken to both the ICO and several data protection lawyers to confirm the opinion, but received conflicting advice, suggesting a wide degree of uncertainty over the rules at the moment.
The ICO was unequivocal on the matter. Its spokesperson said: "GDPR comes into force in May 2018, until then whilst organisations should be preparing for the new regulation, the Data Protection Act remains in force and any breaches or civil monetary penalties will be considered under that legislation."
This view was echoed by Robert Bond, partner at law firm Bristows LLP.
However, Dr Kuan Hon, consultant lawyer for Pinsent Masons agreed with Kenyon that the GDPR is, technically, already in force, according to its own terms. She quoted article 99 of the regulation, which governs its entry into force and application: 'This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.'
The GDPR was published in the Official Journal of the European Union on the 4th May 2016, and so, technically, came into force 20 days after that.
"That means that, technically, yes, it's already in force, and it's been in force since late May 2016. But, it doesn't apply as law in Member States until 25 May 2018," clarified Hon.
However, the situation is further complicated by the situation where an organisation has a breach now, but doesn't discover it until after the GDPR starts to apply.
"If an organisation has an ongoing breach now, but doesn't discover it until after 25 May 2018, or discovers it but doesn't fix it until after 25 May 2018 - then it would be exposed to the higher penalties, but this should incentivise organisations to detect and remediate breaches sooner rather than waiting till after 25 May 2018," said Hon.
"There are situations where organisations deliberately hold off addressing a breach, for example at the request of law enforcement agencies, so as not to alert the [hackers] that the breach has been spotted and to give law enforcement more time to track them down.
"Hopefully regulators would take that sort of thing into account in deciding on the amount of the fine, but obviously the interval between discovering a breach and fixing it properly should ideally be as small as possible," she said.
Hon advises firms to fix any breaches immediately.
"In short, if there's a breach now, remediate it before 25 May 2018, don't wait! Organisations certainly need to make sure that they have appropriate security measures and breach notification systems/procedures in place before 25 May 2018, ideally earlier than that if they can."
V3's sister site Computing has also recently examined the issue of sensitive data stored in email, and asked whether all emails should be deleted after a certain period, in order to comply with the GDPR.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance