GDPR (General Data Protection Regulation) is coming into effect on 25th May 2018. With it come a number of important changes for all types of businesses.
GDPR is complicated, but it is crucial that businesses in the EU comply with the regulation. Despite the fact that the UK is leaving the EU, GDPR will still affect us as it comes into force before 2019.
GDPR will impact your business in a number of ways. In an effort to make GDPR easier to understand, we at entrustIT have picked out the five most important ways GDPR will impact your business.
1. Larger fines for non-compliance
GDPR replaces the Data Protection Act 1998 in the UK, and with that replacement comes far heavier fines for non-compliance. The fine structure is split into two tiers, Tier 1 and Tier 2.
Under GDPR structure, should your business suffer a data breach, it must be reported to the UK’s Information Commissioner’s Office within 72 hours (more details on what will be required is in our forthcoming whitepaper). Failure to notify the ICO results in fines being imposed.
Depending on the severity of the breach, and how important the data that has been put at risk is, your fine will fit into one of the two tiers.
Tier 2 is the lower of the two, but still commands a fine up to an eye watering €10m (£8.6m), or 2% of the previous year’s global turnover, whichever is greater.
Tier 1, which is reserved for the most damaging breaches, carries a fine of up to €20m (£17.25m), or 4% of global annual turnover, whichever is greater.
2. Changes to ‘consent’
One important change that GDPR brings is the requirement for consent when handling personal data.
In the past, companies could handle personal data as long as the user in question didn’t ‘opt-out’. The process for opting out was often not immediately obvious or complex and resulted in personal data being processed without the end user necessarily realising.
This has been completely changed in GDPR. Now, in order for a company to process personal data for an end user, they are required to have specific consent for that type of use from that user. Not only that, but they must keep records of when that consent was given, and these records should be available to give to the authorities when required.
Furthermore, the end user has the right to withdraw consent at any time. As a business, you will be unable to lawfully process personal data until you receive their consent. Any business found to be improperly processing personal data will be fined at the highest level of the two tier system and will also experience significant reputation damage .
3. Changes to breach notifications
We touched on this in point 1. In order to provide a data protection standard across the European Union, GDPR includes a single breach notification requirement. Currently, all EU member states have their own data protection laws. Some are strong, but some are very weak. Organisations in member states that have weaker data protection may not have had to notify any authority of a data breach. GDPR seeks to bring all member states in line with each other regarding breach notifications.
A personal data breach is defined as the breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
In the event of a personal data breach, the relevant supervisory authority must be notified within 72 hours of discovery of the breach. Each member state has their own authority. In the UK, it is the Information Commissioner’s Office (ICO).
You must be able to provide the ICO with details on the nature of the breach, the approximate number of people affected and the contact information of the organisation. You must also be able outline measures you will take to reduce further risk to those affected.
Failure to do so can result in a Tier 2 fine.
4. Data Protection Officers (DPOs)
Under GDPR the following businesses must appoint a Data Protection Officer (DPO):
• Public Authorities
• Organisations whose core activities consist of processing operations which by virtue of their nature, scope or purposes require regular and systemic monitoring of data subjects on a large scale
• Organisations whose core activities consist of processing sensitive personal data on a large scale
These DPOs must have “expert knowledge” of data protection law and must report directly to the highest management level – they also cannot be told what to do regarding their tasks and cannot be dismissed or penalised for performing their tasks – a big responsibility indeed!
The DPO will advise its employer on compliance with GDPR and continuously monitor whether the company is complying correctly. The DPO will also act as the main contact with the regulatory authority in event of a data breach.
5. Privacy by Design
GDPR introduces ‘privacy by design’ as a legal requirement. This means that for the designing of all new systems, data privacy measures must be built in from the start, rather than added in at a later date.
Therefore, organisations are required to hold and process only the data they absolutely need, as well as limited access of personal data to those members of the organisation that explicitly need it.
This means that in the development of any new product or service, your organisation must make data protection an integral part of the design of that product/service. The legislation itself is not clear what exact measures you are expected to take, but it is clear that data protection will have to be a focus for all organisations under GDPR.
Did you find this blog post helpful? If so, please like and share it with your friends and colleagues. Look out for the next article in our series on GDPR entitled “5 steps to get GDPR ready” coming soon.