There’s only 40 days to go until General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018.
GDPR will replace the current Data Protection Act 1988 (DPA). If your business is compliant with the DPA, you probably already fulfil many of the requirements of the General Data Protection Regulation (GDPR). However there are some key changes you need to know. I’ve summarised the key differences below to help you consider what action you may need to take to update your existing information systems, there is still time to take action – and there’s no time like now!
What are the differences and how will GDPR affect the way I run my business?
Current: DPA applies only to organisations the UK.
New: GDPR regulations extends its reach to encompass all European States. It will apply even though Britain is leaving the European Union. It also applies to any global company holding data on EU citizens. (Facebook being one example)
2. Definition of Personal Data
Current: Personal data and sensitive personal data which could identify someone directly or indirectly.
New: Definition is extended to include online information which could identify a person for example IP addresses, mobile device IDs and encrypted data. There are also new responsibilities to protect children’s personal data.
Current: Only the data controller has responsibility for security of information
New: GDPR also makes the data processor responsible. Companies with more than 250 employees must employ a Data Protection Officer. Consumers could hold both the data processor and the data controller responsible for data breaches.
Current: Under the DPA businesses had to indicate intent and willingness to comply
New: GDPR means businesses and organisations have mandatory responsibility to demonstrate compliance. Ways in which this can be shown include:
• Staff training
• Internal audits and documentation of data processing activities
• Internal HR policy review
• Meet all the principles of data protection by design
• Implement Protection Impact Assessments
Current: Data collection does not necessarily require an opt-in.
New: Individuals must give explicit consent to opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.
6. Subject Access Requests
Current: People have the right to request to see what information you hold about them. These requests carry a £10 charge and there is a requirement to respond to the applicant within 40 days.
New: Under GDPR subject access requests will be free of charge and must be responded to within 30 days.
7. Data breaches
Current: Companies are not obliged to report data breaches, though it is considered best practice under the current DPA.
New: GDPR carries a mandatory requirement for all data breaches to be reported to the regulator within 72 hours.
8. Data removal
Current: There is no requirement for an organisation to remove all data they hold on an individual.
New: An individual will have the ‘right to erasure’, which includes all data including web records with all information being permanently deleted.
9. Enforcement and Penalties
Current: Enforced by the Information Commissioner’s Office (ICO) in the UK. It can issue fines of up to £500,000 or 1% of annual turnover to any UK organisation that “seriously breaches” the DPA.
New: Each European country will have its own supervisory authority to monitor GDPR compliance. The ICO will be the supervisory authority in the UK. From the 25th May 2018, organisations that fail to comply with GDPR could be fined up to €20 million or 4% of their annual global turnover, whichever is higher.
10. Privacy by design
Current: Protection Impact Assessments (PIAs or DPIAs) are not a legal requirement under DPA.
New: DPIAs will be mandatory and must be carried out when there may be a high risk to the freedoms of the individual. A DPIA helps an organisation to ensure they meet an individual’s expectation of privacy.