What Is The General Data Protection Regulation?
Businesses in the UK should be preparing themselves for the forthcoming General Data Protection Regulation (GDPR), new EU legislation that will be coming in to replace the Data Protection Act 1998.
The new regulations have been drafted in order to cover the different ways that data is now being used, bringing in tougher fines for breaches and non-compliance, while also giving people more of a say about what companies can do with personal information.
As such, companies would be wise to send the relevant people on compliance training courses so they’re ready for May 25th 2018, which is when the GDPR will apply throughout all EU member states.
Bear in mind that because this new system is a regulation as opposed to a directive, the UK will not have to draft new legislation. This will simply apply automatically. The aim of the GDPR is to give people more control over the use of personal data, important given that companies now swap access to this information in exchange for use of services.
In addition, it should give companies a simpler legal environment to operate in where this is concerned, because data protection law will be identical throughout the EU.
It’s important to note that the definition of personal data has been expanded under this new regulation – so remember that IP addresses are now considered to be personal information because they serve as an online identifier. Data processors and controllers in particular will be affected by these forthcoming changes, even if they’re based outside the EU but the data they’re dealing with belongs to EU residents.
If a data breach does take place, you will need to let your protection authority (in the UK, this is the Information Commissioner’s Office) know within 72 hours of becoming aware of it – if it puts people’s rights and freedoms at risk. You should also let those affected by the breach know about it before you call the ICO. If you don’t meet this 72-hour deadline, you could be hit with a penalty of €10 million or up to two per cent of your annual revenue, whichever one is higher.
This isn’t as bad as the penalties could be, however. If, for example, you don’t follow the principles of data processing – like consent, or transferring it to another country – you could be hit with a fine of up to €20 million or four per cent of your global turnover, again whichever one is higher.
Alarmingly, new research from job board CareersinCyberSecurity.co.uk and law firm Hamlins has just revealed that 73 per cent of businesses in the UK have yet to budget for the roll-out of changes necessary in order to comply with the GDPR.
Some 53 per cent are yet to appoint a data protection officer (a requirement under the new regulations), it was found. Reasons given for failing to prepare for the changes were believing that Brexit would mean they wouldn’t have to comply, not having the funds to do so, not wanting to get caught up in red tape and not believing there to be a business risk.