What is GDPR and how is it different to the Data protection Act (DPA)?
The General Data Protection Regulation (GDPR) is a new EU regulation that the UK will adhere to despite BREXIT. It changes the way in which businesses and organisations must capture, manage and store personal data. The UK Data Protection Act 1998 (DPA) is different to GDPR – most notably for the fines and penalties that can be imposed for any breach of these regulations. For these reasons, it is very important that business owners take notice of the forthcoming changes in legislation, to avoid potentially crippling financial penalties in the future.
Why is the GDPR coming into effect?
With the amount of personal records stored and used by companies ever increasing, these regulations will standardise the way companies handle this data. Whether it’s your personal bank details, professional contact details or photos from your social media accounts, this will all fall under the data protected in the new legislation.
With a rise in high profile cases, such as the 2013 Yahoo database breach and the 2017 Gmail leak, it’s not only large companies who will have to adhere to the regulations but smaller companies holding any form of customer details.
Will Brexit Mean GDPR Doesn’t Matter?
No, it won’t. The government has already confirmed that the UK’s decision to leave the EU will have no effect on the implementation of GDPR. Along with many other aspects of life, business and law, personal data will continue to be managed in line with our European neighbours post-Brexit.
Is this a good thing?
Well, that comes down to personal opinion however the aim of the GDPR is to strengthen citizens’ rights regarding their personal data, whilst also claiming to assist businesses by simplifying the rules for companies. Whether companies would agree at this point that it simplifies the rules is perhaps debatable, however in the long term, the aim is to bring clarity to business’ responsibilities when managing personal data.
When Does GDPR Come Into Effect In The UK?
The GDPR will come into effect in the UK from Friday, 25th May 2018. As of the date of posting this article, that is less than 7 months – so if you’re a UK business owner reading this any closer to the 25th May then you don’t have long to get your ship in order! You can download ICO’s 12 steps to compliance here which will help you get things moving.
Does this mean I need to employ a CPO?
With a constant stream of new customers, new email addresses and new snippets of personal information coming into your companies ownership you will also have to continually monitor how it’s kept secure and used.
In fact, there are new roles being created within organisations with the sole purpose to look after this data. A CPO (Chief Privacy Officer) may not be suitable for your company but it does show how important this function is becoming in the current digital climate.
So no, you may not need to employee a CPO but companies of all sizes, holding any form of customer data will need to ensure all relevant procedures are put in place and most importantly maintained.
GPDR Fines & Penalties
Under the current DPA (Data Protection Act) the maximum fine the ICO can impose against a data controller that hasn’t adhered to the regulations is £500,000.
However, under the GDPR the ICO will be able to issue two levels of fines dependant on the severity of the breach.
The most serious offences will incur fines of up to €20 million or 4% of group worldwide turnover (whichever is greater). This is against both data controllers and data processors.
For less serious breaches, companies will be liable to fines of €10 million or 10% of group worldwide turnover, whichever is greater.
The ICO have stated that they will take into account circumstances around the breaches when assessing the severity of the fine. Things such as the volume of data, the loss associated with the breach and whether it was intentional or due to neglect will have an impact.
Disclaimer & WIP
This blog post contains our own views on the GDPR changes following training and seminars that our staff have attended in preparation. It is intended as a useful resource only and we do not claim to be experts in the implementation of GDPR. There are many sources available that offer concrete information in great depth, such as ICO and Gov.uk, we recommend that these resources are used as your business implements GDPR changes.
This blog post is also a work in progress and we intend to update as further information becomes available (and as we get the time to write it!).