Are You Ready for the New GDPR Legislation?
In May 2018, data protection legislation will undergo its biggest changes in two decades. Originally created in the 90s, the current Data Protection Act is now seen as outdated due to the dawn of the digital era and the vast amounts of personal information we now create, capture, and store. For businesses already compliant with the Data Protection Act, GDPR is seen as an evolution of the current legislation. However, there are some key changes you should be aware of.
Any individuals, organisations, or companies that are Data Controllers or Data Processors, who operate within, or deal with individuals who reside within, the EU are subject to the new legislation, and both Personal Data and Sensitive Personal Data are covered by GDPR.
Personal Data is essentially any information that can be used to identify an individual. This can include email addresses, social media names, bank details, date of birth, etc. Sensitive Personal Data includes information relating to religious and political views, sexual orientation, and more, and requires more strict controls regarding the reasons for holding the data, and the security of the data.
The GDPR legislation has 99 articles setting out the rights of individuals, as well as obligations placed on organisations, which includes allowing people to have easier access to the data companies hold on them, an individual’s “right to be forgotten”, a clear responsibility for Data Controllers to obtain the explicit consent of individuals they collect information from, and a new and significant fine regime for legislation breaches.
If you are preparing for GDPR, a good place to start is with a Data Protection Policy and clear records of the data you hold, why you hold it, and for how long you need to hold it, along with the methods that are taken to ensure it is kept secure. Depending on the size of your organisation, you may also benefit from a Data Protection Impact Assessment or Audit.
According to the new legislation, any “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to the Data Protection Regulator, which in the UK is the Information Commissioner’s Office, within 72 hours of the breach occurring. Individuals who could potentially be affected must also be informed.
In addition, companies that have “regular and systematic monitoring” of individuals at a large scale, or who process a lot of Sensitive Personal Data have to have access to competent advice from a Data Protection Officer (DPO). This is not typically required for small businesses, whose main purpose does not directly involve mass processing of data.
One of the most significant changes when it comes to the new Data Protection legislation is the significant fines that can be given to anyone who breaches it, with fines up to £10million or 2% of the company’s global turnover, whichever is greater.
For more information on the new GDPR legislation, download the official 12 step guide