If you’re in business you are probably aware of something called the Data Protection Act 1998 – but how aware are you of the General Data Protection Regulation?
The GDPR is similar to the DPR we have in the UK, but there are some significant changes and requirements that could directly impact your organisation in its day-to-day responsibility for data protection. Full compliance will apply in the UK and all EU member states from as early as May 2018.
The GDPR has been the result of four years of work by the EU to bring data protection legislation up to date, and the British government has confirmed that its impending exit from the EU will not affect its commencement.
There are two main driving forces behind the GDPR: the first is that the EU wants to give people more control over how their personal data is used, and consequently, there are tougher fines for non-compliance and breaches.
The second reason is that businesses should be given a simpler, clearer legal environment in which to operate and one that is identical across the single market.
Does it apply to you?
The GDPR applies to ‘controllers’, who say how and why personal data is processed, and ‘processors’, who are usually the parties doing the actual processing of the data. A good rule of thumb is that if you are currently subject to the DPA then it’s most likely that you’ll also be subject to the GDPR.
Are there any significant changes from the current DPA you need to be aware about?
Yes. One of the biggest of these is a new accountability principle.
The GDPR requires you to show how you comply with the principles – implementation of appropriate technical and organisational measures that ensure and demonstrate compliance is key.
Another change is that the GDPR applies to both automated personal data AND manual filing systems where personal data are accessible according to specific criteria – this is wider than the DPA’s definition. Even the GDPR’s definition of ‘personal data’ is more detailed than that of the DPA. For example, it makes it clear that information such as an online identifier (e.g. an IP address) can also be personal data.
Individuals now also have the right to demand that their data is erased if it’s no longer necessary to the purpose for which it was collected – this can be known as the ‘right to be forgotten’.
How big are the consequences if there are any breaches?
If you suffer a data breach and DO NOT report it to the relevant data protection authority (in the UK it is the Information Commissioner’s Office) within 72 hours you can expect to be slapped with a fine up to €10 million or 2% of your global annual turnover, whichever is greater.
If you don’t follow the basic principles for processing data the fines are even more severe – penalties could be issued of up to €20 million or 4% of global annual turnover.
To put that into some kind of perspective, TalkTalk’s £400,000 fine for a customer data breach in October 2015 would’ve amounted to £59 million under the new rules…is that a risk you’re willing to take?