The General Data Protection Regulation
The "biggest attempt so far by a legislator to grapple with the realities of global, ubiquitous data in the internet era", the General Data Protection Regulation (GDPR), enters into force on 24 May 2016.
It is extra-territorial in scope and applies directly to businesses (including public and private sector) in the Island that offer goods or services to, or monitor the behaviour of, individuals resident in the EU.
In addition, EU controllers transferring personal data to businesses (controllers or processors) in the Island will require those Island businesses to comply with the requirements of the GDPR in respect of those inward transfers.
There is a two year transition period until the GDPR becomes fully enforceable and the 1995 Data Protection Directive ceases to have effect and Island businesses need to take steps now in order to achieve full compliance by 25 May 2018.
In addition to regulation by the Information Commissioner for personal data relating to individuals who are not resident in the European Union, Island businesses subject to the GDPR will need to identify, and be regulated by, a lead supervisory authority in the European Union.
In a nutshell, the GDPR brings:
- Greater accountability with a requirement to demonstrate compliance
- Fines of up to 4% of total worldwide turnover for non-compliance
- Robust security requirements
- Widened definition of personal data
- New obligations for processors
- New and enhanced rights for individuals
- Compulsory data breach notification
- New obligations in respect of children's data
If you want to keep up to date, you can sign up to the GDPR Newsletter.