Ok, so what shouldn’t be a surprise to anyone is that we are working with more and more data every year, which doesn’t appear to be changing anytime soon. The governments seem to have finally caught up and recognised that the ageing Data Protection Act will no longer be enough to protect against the requirements of modern day life which require a more 'futureproof' approach to the way we manage our personal data.
As of the 25th May 2018 the European Parliament will be enforcing a new set of obligations regarding everything Data Protection and this will become standardised for all companies trading in European Countries. Obviously they have kept all of the best bits from the Data Protection Act but there are some really interesting additions such as the rules that surround Consent and our Right To Be Forgotten.
In recent weeks I have been discussing the GDPR with people to understand how they feel the new regulations will affect their businesses and I have been surprised by some of the responses. I have heard everything from ‘I don’t know where to start, can you help?’ to ‘what’s the GDPR?’. The one thing that is now sure in my mind at least is that local business enterprises need support to ensure they don’t unknowingly walk into costly fines next May.
To help get you started here are some points to think about;
We voted to leave the EU so this won’t affect us!
Yes I have actually had someone tell me this and it’s the first one to be really careful of. These regulations will come into effect in May 2018 and the UK will not be leaving the EU until at least 2019 so this will be a very real problem right here in the UK even if you have no intention of trading in other European Countries. In many cases I think Brexit has a lot to answer for because there are many businesses which have stopped taking notice of European Parliaments when this is really the very time to be keeping up to date with whats happening across the pond.
Don’t stop there though because data has been discussed in all of the UK Party Manifestos and it seems that no matter who is in number 10 the GDPR is here to stay so don’t leave it to the last minute this is happening!!!
What is a Data Breach?
Personal data refers to any information which can make a person identifiable as an individual person. The new regulations have defined personal data breach as “A breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed”. In short this means there’s nowhere to hide! But for businesses it does mean that the days of unclear data protection policies are well and truly gone and there is a much more defined scale for data protection law.
What do I do if I find a Data Breach In My Business?
This comes down to who is considered the ‘Data Controller’ as it’s their desk this problem is about to land on. Now the Data Controller is the organisation who has collected or owns the personal data which the breach relates to. The big thing to be aware of though is the time scales involved! The Data Controller has a maximum of 72 hours to report the breach to the newly found Supervisory Authority for the country where the company’s main business activities takes place. As with lots of things, it would never be a good idea to report a breach late, and if the business doesn’t report a breach within 72 hours there should be some very good reasons which are likely to be investigated.
The other people who MUST be informed of a data breach are the people whose data has been breached. However the only exception to this rule is that if the data has been altered to a point where the people’s identity cannot be recovered then it will be reasonable to understand a business cannot inform this person. Having said that, there will never be an accepted excuse for not reporting a breach to the Authorities.
It’s too expensive to make all the changes, what’s the point?
Again I have actually been asked this! I feel like the bearer of bad news but the fact is that it will be a lot more expensive to get caught ignoring this than it will to just be ready for it.
The fines for none compliance can be eye watering but the main disciplinary process will include;
- Written warning if this is a first offence and it is considered a non-intentional act of non-compliance.
- Regular and Intense Data Protection Audits
- In almost all cases of repeat breaches the penalty will be up to €10,000,000 or 2% of the businesses annual worldwide turnover, whichever is the highest!
- Any Breach which the European Court deems to be more serious would see the highest levels of fines of up to €20,000,000 or 4% of the organisations annual worldwide turnover whichever is the highest!
So as you can see it is much more cost effective to be ready for this rather pay the fine later.
I don’t know where to start!
As with most things, knowledge is power, so it is a good idea to speak about GDPR openly inside your business and make sure the people in your organisation know what this is and how it effects them. Talk about how breaches happened in other businesses and make sure steps are taken to ensure everyone is taking precautions where possible. It is also a good idea to share the information on fines and make employees aware of the financial implications.
Make a comprehensive report on the data your business holds. How it was generated and how you are storing it.
A massive part of the GDPR revolves around consent so it is vital you not only know just how you are gathering this information but if you actually have consent from the individuals- It is just as important that you can prove you have this consent. The second area to be very aware of now is gaining consent from an individual who is not old enough to provide consent. For many people this will be the hardest, especially if the data is gathered online. You need to be able to make sure you have consent from an appropriate adult where needed.
In this day and age avoiding dealing with Data is going to be inevitable for almost every business in some or another so it’s really important you check you have the correct procedures in place should you need to detect, investigate and report any personal data breaches which occur. Once GDPR takes effect in May 2018 all businesses should have an individual who is responsible for data protection and compliance.
The time to prepare for GDPR is now!
For more information email firstname.lastname@example.org and arrange a FREE review of your systems today or register for our free GDPR seminar