Described as a “decent piece of legislation” by digital minister Matt Hancock at the EU Home Affairs Sub-Committee last week, the General Data Protection Regulation (GDPR) will ensure that the UK can continue an “uninterrupted and unhindered flow of data” with the EU after Brexit.
With less than 15 months to become compliant, it’s important that organisations get to know the GDPR now so that they have the knowledge to implement a robust data protection regime by May 2018.
Here we’ve gathered key pieces of information to help you get to know the GDPR:
Top-level changes under the GDPR that will affect how you handle data
- Even if your business is not in the EU, you will still have to comply with the Regulation if you handle EU residents’ personal data.
- The definition of ‘personal data’ is now broader, encompassing factors such as an individual’s mental, economic, cultural and social identity.
- You must obtain clear and affirmative consent to process personal data and parental consent will be necessary to process children’s data.
- A data protection officer (DPO) will be mandatory for certain companies.
- You must perform a data protection impact assessment before undertaking high-risk data processing activities.
- You will have 72 hours to report a data breach.
- Data subjects have the ‘right to be forgotten’.
Increased penalties under the GDPR
Organisations in the UK currently have to comply with the Data Protection Act 1998 (DPA), which is enforced by the Information Commissioner’s Office (ICO). Non-compliant organisations can be fined to £500,000 and have to commit to taking a particular course of action to improve their compliance.
With the GDPR, penalties will reach an upper limit of €20 million or 4% of annual global turnover – whichever is higher. For many businesses, this will mean that the threat of insolvency or even closure as a result of GDPR penalties will soon be very real.
How to report data breaches under the GDPR
Once the GDPR comes into effect next May, organisations have to report data breaches to the national regulator (the ICO in the UK) within 72 hours of discovery. You will need to explain what happened, what you’ve done about it and what the impact will be on data subjects.
If data subjects’ rights are likely to be threatened, you will also have to inform them that their rights have been compromised and tell them the risks to their data.
You can find out more in Alan Calder’s video, What the GDPR means for your business in the UK.
Getting to know the GDPR
As explained above, the GDPR will likely bring significant changes to how you manage data in your organisation. Now you can develop your understanding of the Regulation and your compliance obligations further with the GDPR Expertise Bundle.
Containing essential resources, including a handy pocket guide, a useful implementation guide and guidance on Cloud computing, this bundle will help you get your GDPR compliance project underway.