On 27th April 2016, the European Parliament adopted the GDPR (General Data Protection Regulation), which is an “enhanced version” of the DPA (Data Protection Act 1998).
The regulation will come into effect on 25th May 2018 and is going to affect European organisations – this includes companies in the UK, regardless of whether the UK leaves the EU or the single market, or both. This is because the regulation does not only apply to companies based in the EU but also to companies outside the EU, which supply goods or services to EU citizens.
So what does this mean to you?
It means that if your company falls into the above category, you will need to ensure that your customers’ PII (Personally Identifiable Information) is secure, as in the event of a breach, your company will be liable to pay €20 million (EUR), or 4% of annual turnover in fines.
PII now covers more than before under the DPA – in scope, we now have factors such as cultural, mental, economic, social, and bio-metric data to name a few, which could be used to identify an individual. Companies will have to aim to reduce the amount of personal data they store, and of course, it must not be stored for longer than necessary.
Companies will be required obtain parental consent to process personal data of children under age of 16, and consent will also be required for marketing and use of sensitive personal data. There are also changes to the rules for obtaining consent – requests must be in plain language and provide an ability to opt out at any time. Consent will have to be proved to avoid administrative fines, and silence or inactivity are not valid.
Under the DPA, personal data breaches must be shown to have caused harm or financial loss to the Data Subject in order to impose fines on the processing company. Under GDPR, this will be easier to prove as Data Subjects now only need to show “distress”. Companies will be subject to two types of fines, for personal data breaches, and for administrative breaches e.g. such as failing to prove that clear consent was obtained. In addition, processing companies will be obliged to notify their relevant Supervisory Authority – without delay – of any data breach as soon as it is evident. Data Subjects will also have to be notified of any data breaches if they are deemed to have an adverse impact.
Certain companies will be required to appoint a Data Protection Officer with expert knowledge of data protection law and practices. This includes public authorities, as well as companies whose main activity is monitoring of Data Subjects and processing their personal data on a large scale.
Companies will not have to notify or register with the Information Commissioner’s Office in order to process personal data anymore. However, they will have to assess the risk and impact of processing personal data, as well as ensure that appropriate security measures, processes, and procedures are in place to protect personal information and reduce the risk of a data breach occurring. To control this, every two years organisations will have to carry out a Data Protection Impact Assessment to prove their compliance.
For further reading please visit the links below:
If you are interested in a security evaluation for your business use the button below to enquire about Zepko’s Managed Security portfolio, and our 5 day security gap analysis package – SecureStart.