GDPR: Confusion reigns as experts disagree as to whether it's already in force
Could you be fined in May 2018 for a breach now, if the GDPR is already in force in the UK? Some experts say yes
Leading legal experts disagree about whether the EU's General Data Protection Regulation (GDPR) is in fact already in force in the UK.
According to at least one expert, you could be fined up to four per cent of your organisation's global annual turnover for a breach which occurs now, if the UK's data protection regulator the Information Commissioner's Office (ICO) waits until May 2018 to act on the issue.
Speaking at a recent Computing event, Bridget Kenyon, head of security at University College London, explained that the GDPR is already in force, in her opinion.
"Actually GDPR is in force now, but what's not in place yet is the penalties," said Kenyon. "So if there's a breach now, the ICO could hold on to it and give you the penalties in May 2018," she argued.
Computing queried both the ICO itself, and several legal experts on the veracity of this claim, and found conflicting opinions, suggesting a degree of uncertainty rules in the industry.
The ICO seemed unequivocal on the matter. Its spokesperson said: "GDPR comes into force in May 2018, until then whilst organisations should be preparing for the new regulation, the Data Protection Act remains in force and any breaches or civil monetary penalties will be considered under that legislation."
This view was echoed by Robert Bond, partner at law firm Bristows LLP, however, Dr Kuan Hon, consultant lawyer for Pinsent Masons agreed with Kenyon that the GDPR is technically already in force, according to its own terms. She quoted article 99 of the regulation, which governs its entry into force and application.
' This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.'
The GDPR was published in the Official Journal of the European Union on the 4th May 2016, and so technically came into force 20 days after that.
"That means that, technically, yes, it's already in force, and it's been in force since late May 2016. But, it doesn't apply as law in Member States until 25 May 2018," clarified Hon.
However, the situation is further complicated by the situation where an organisation has a breach now, but doesn't discover it until after the GDPR starts to apply.
"If an organisation has an ongoing breach now, but doesn't discover it until after 25 May 2018, or discovers it but doesn't fix it until after 25 May 2018 - then it would be exposed to the higher penalties, but this should incentivise organisations to detect and remediate breaches sooner rather than waiting till after 25 May 2018," said Hon.
"There are situations where organisations deliberately hold off addressing a breach, for example at the request of law enforcement agencies, so as not to alert the [hackers] that the breach has been spotted and to give law enforcement more time to track them down. Hopefully regulators would take that sort of thing into account in deciding on the amount of the fine, but obviously the interval between discovering a breach and fixing it properly should ideally be as small as possible," she explained.
Hon advises firms to fix any breaches immediately.
"In short, if there's a breach now, remediate it before 25 May 2018, don't wait! Organisations certainly need to make sure that they have appropriate security measures and breach notification systems/procedures in place before 25 May 2018, ideally earlier than that if they can."
Computing has also recently examined the issue of sensitive data stored in email, and asked whether all emails should be deleted after a certain period, in order to comply with the GDPR.