The General Data Protection Regulation (GDPR) is a law brought in by the European Union (EU) in May 2018, replacing the Data Protection Directive 1995, also known as the Data Protection Act 1998 in the UK. The aim of GDPR is to modernise the laws that protect the personal information of individuals.
GDPR applies to any business collecting citizen data from the EU and enforce the following changes to the way data is stored and handled within a business environment. Aiming to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. Business owners are now solely responsible for the security of clients’ data and the regulation applies to organisations of all sizes who store EU citizen data, regardless of where they are based. However, with GDPR, if not adhered to carries a much larger financial punishment than the previous Data Protection Act 1998.
Below is a summary of GDPR for businesses.
Interested to know what your business needs to do before May 2018 in order to be GDPR compliant? One of our certified GDPR Consultants has put together 34 questions that you need to consider in order to be compliant.
• Personal Home Addresses
• Contact Names
• Personal Contact Numbers
• Personal IP Addresses
• Personal Email Addresses
• Racial or Ethnic Origin
• Political Opinions
• Religious Beliefs
• Sexual Life
• Physical or Mental Health information
• Whether the customer is a member of a trade union
• Any criminal offences
GDPR has also introduced strict penalties for companies that suffer data breaches. In the event of a data breach, businesses could be fined up to 4% of global turnover or €20 million (£16.9m) – whichever is larger.
Protecting your client’s data is now more important than ever; but did you know there’s a little more to data protection than ensuring your business server is kept in a locked room over night? Have you thought about how protected your Cloud based systems are? What about all your business emails, your finance software as well as historical and current paperwork?
The Information Commissioner’s Office (ICO) used to be able to inflict a maximum penalty of £500,000 on companies that fail to adequately protect their customers’ information.
If your business has a data breach, whether this is from a cyber-attack or human error, you have the responsibility of reporting it toThe ICO within 72 hours of the occurrence. If you fail to notify the ICO within the stated timeframe of 72 hours upon discovery of data breach the 2% of annual turnover penalty may apply.
Businesses are now required to self-report all data privacy breaches no matter how small they are
We are also going to explore another regulation under the GDPR that we have frequently been asked about. Article 37 states that many businesses throughout the UK are required to have a designated Data Protection Officer (DPO) and we will explain what a DPO is, what their role is and what businesses need to do in preparation.
A Data Protection Officer (DPO) plays a vital role within the business, ensuring all staff and management adhere to the businesses data protection obligations in regards to the control and processing methods of business/customer data. More importantly, they oversee the data protection strategy for the entire business to ensure the business is compliant with the GDPR and other related regulations such as ISO 27001.
Yes, you’re able to allocate this role to an existing employee within the business and assign this role as an additional responsibility, similar to a Health and Safety Officer. Only large businesses will need a fully dedicated person as a Data Protection Officer.
If your business is ISO 27001 compliant it would make sense to assign the Data Protection Officer responsibility to the Information Security Officer who will be familiar with the current data laws and regulations. The IT Manager within your business (or similar) would likely be best suited as they should be familiar with national and European data protection laws.