The General Data Protection Regulation (GDPR) represents the most comprehensive and far-reaching overhaul of data protection legislation in the UK since the introduction of the Data Protection Act 1998. The primary objective of the GDPR is to give EU citizens back control of their personal data and to unify the regulatory environment for business both within and outside of the EU. As a result, every organisation within the EU will be expected to comply with the GDPR after the 25th of May 2018.
Businesses will be expected to not only comply with the new legal regime but to also demonstrate compliance to data subjects, the Information Commissioner’s Office (ICO), and to third parties with whom the business may interact with.
The current cap on fines under the DPA is £500,000. This will be significantly increased under the GDPR with the introduction of a tiered approach to penalties for breaches. Depending on the circumstances and extent of the breach the ICO will be able to impose fines up to 4% of annual worldwide turnover or €20 Million (whichever is greater).
The GDPR introduces a new accountability principle which requires organisations to explicitly state that it is their responsibility to uphold the principles of data protection. Accordingly, organisations need to implement appropriate technical and organisational measures to ensure and demonstrate compliance (including staff training, internal auditing, and review of HR policies and practices).
As part of the accountability, demonstrability, and auditing requirements organisations should:
- Encourage encryption and pseudonymisation of data
- Regularly measure and test system resilience
- Measure data restoration and availability of access
- Frequently test the effectiveness of physical and digital security measures
- Consider appointing a Data Protection Officer
- Introduce measures to produce data protection impact assessments
- Maintain internal records of personal data processing activities
- Take a privacy-centric approach to physical and digital security
It is not a question of IF a data breach will occur, but WHEN. These organisations are strongly encouraged to put in place clear policies and procedures to enable prompt responses to data breaches and subsequent notifications. The policies should incorporate a clear framework of accountability in order to monitor, review, and assess data processing procedures and demonstrate compliance to any relevant authorities. The starting point for any organisation should be an analysis of the legal basis for processing personal data demonstrate that personal data is processed for a legitimate purpose and appropriate consent has been obtained.
Time is running out, the GDPR will come into force on the 25th May 2018, don’t get caught out! Click here to read our 12 steps to GDPR compliance.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.