The EU’s General Data Protection Regulation (GDPR) will become applicable in May 2018 and there’s still a lot of concern about what this will mean for companies and individuals. The GDPR, which will replace the EU’s 1995 directive, is one of the strictest set of data protection rules yet established. It took four years of discussion for Europe’s major players to reach an agreement and the end result gives individuals more rights and control over their personal data than ever before, as well as putting more obligation on companies to maintain responsible privacy measures.
How Will the GDPR Affect the UK?
Britain’s decision to leave the EU has cast some doubt over whether or for how long the GDPR rules will be applicable in the UK. However, the UK’s Data Protection Bill, which was released on the 14th September and is currently awaiting approval from both houses of parliament, keeps almost all the protections established in the GDPR with only minor changes for some specific types of organisations.
What Businesses Will Be Impacted?
The Cyber Governance Health Check conducted this spring included questions about businesses’ preparedness for the GDPR and the results were mixed. While almost three quarters (71 percent) of the 350 FTSE companies surveyed said they were ‘somewhat prepared’ for the new regulation, only 6 percent could claim to be fully prepared and it’s likely the readiness level is even lower among smaller companies.
Like previous data protection bills, the GDPR applies to all companies that are ‘processors’ or ‘controllers’ of personal data, whether they are a charity, a start-up or an established business. It includes personal data, defined as things like names, addresses or email addresses, as well as sensitive personal data such as religious or political affiliation and sexual orientation. Unlike previous laws, the GDPR also applies to ‘pseudonymised’ personal data that could be used to identify the individual.
The GDPR includes higher accountability standards than previous legislation. This means companies need to have a comprehensive data protection policy, including impact assessments and documentation of how data is processed and stored. Data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours. Companies with 250 employees or more are subject to even more extensive documentation requirements and some companies may need to hire a Data Protection Officer (DPO) to oversee the process.
Rights for Individuals
Beyond the stricter requirements for businesses, the GDPR provides greater rights for individuals in relation to their data. Under current British law, businesses can charge £10 for the right to access one’s own personal data; the GDPR requires that this service be offered free of charge and stipulates that the data be provided within one month of the request.
In many situations, business must also obtain ‘opt-in’ consent from the individual before collecting their data, including a clear statement defining how the information will be used. Individuals have the right to an explanation of any decision with regard to their data which will impact them significantly, and in some cases they can revoke consent or request that their data be deleted if it is no longer relevant or was collected unlawfully.
Perhaps one of the most talked about features of the GDPR is the fines which can be levied against companies that fail to adequately secure personal data under the new rules. Smaller violations carry a penalty of up to €10 million or 2 percent of the company’s annual revenue, while the most serious offences could be punished with a €20 fine million or 4 percent of the company’s annual revenue (whichever is higher). In the UK, these fines will be issued by the ICO, headed by Elizabeth Denham.
While analysis shows that fines could be as much a 79 times higher under the new system, Denham herself cautions against such scaremongering and assures businesses that large fines will be a last resort against companies that repeatedly fail to address their noncompliance. She believes a ‘stern letter’ will be enough to convince most companies to improve their practices, especially given the threat of larger penalties should they ignore the issue.
At Reputation Defender we offer privacy services for both businesses and individuals. We can help ensure your company is using the best, most up to date practices, in compliance with the GDPR. We also offer assistance for individuals who want to better understand their rights under the new law. Visit our website or call one of our representatives to learn more about our services.