The GDPR takes immediate effect on 25 May 2018. It introduces a single legal framework that applies across all EU member states. This means that ACE members will face a more consistent set of data protection compliance obligations from one EU member state to the next.
In November 2016, the government confirmed that the UK will adopt the GDPR. Brexit is irrelevant when it comes to demonstrating GDPR compliance.
The GDPR's new accountability principle requires ACE members to be able to demonstrate compliance by showing the supervisory authority (the Information Commissioner's Office in the UK) and individuals how the ACE member complies, on an ongoing basis, through evidence of:
- Internal policies and processes that comply with the GDPR's requirements.
- The implementation of the policies and processes into the ACE member's activities.
- Effective internal compliance measures.
- External controls
The ICO’s investigative powers include a power to carry out audits of ACE members, as well as to require information to be provided.
Failure to comply with the accountability principle may result in significantly increased maximum fines. The ICO will be able to impose fines on data controllers and data processors on a two-tier basis; namely: up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data security and breach notification, data protection officers, and data protection by design and default. Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights, and international data transfers.
The GDPR requires a very high standard of consent, which must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual's agreement to their personal data being processed. ACE members cannot rely on consent as a legal basis for processing if there is a "clear imbalance" between the parties (for example, the employer and employee relationship) as consent is presumed not to be freely given.
Under the GDPR, ACE members are required to implement "privacy by design" (for example, when creating new products, services or other data processing activities) and "privacy by default" (for example, data minimisation). This means they must also carry out "privacy impact assessments" before carrying any processing that uses new technologies.
ACE members will need to develop and implement a data breach response plan (including designating specific roles and responsibilities, training employees, and preparing template notifications) enabling them to react promptly in the event of a data breach due to the 72 hour reporting deadline. Complying with the data breach reporting obligations will also entail a significant administrative burden for ACE members, which may increase costs.
The individual rights of data subjects are expanded. In particular, ACE members should consider how they will give effect to the right to erasure (right to be forgotten), as deletion of personal data is not always straightforward.
From 25 May 2018, ACE members must reply within one month from the date of receipt of a data subject request and provide more information than is currently required.