What is GDPR?
In 1998, the Data Protection Act (DPA) was introduced by UK Parliament as the main piece of legislation to govern the processing of data on identifiable living people. At that time, Social Media and Cloud Computing were only seen in Sci-Fi Movies. However, the technology landscape has changed so much since the Act was enforced that this law is now significantly out of date and is not able to protect the individual as originally intended. A prime example would be social media sites capturing personal data, profiling it, and selling it to advertisers, without the individuals’ explicit consent.
Non-Compliance Risk is severe
However, the General Data Protection Regulation (GDPR) under EU law, which was adopted on 27th April 2016 and will apply from 25th May 2018, will supersede our Act and the Data Protection Directive from 1995, and be significantly more stringent. The main focus of GDPR will be to protect the personal data of all individuals residing within the EU – irrespective of where the company holding the data is based – and includes rules around holding, processing, profiling, maintaining and deleting that data, to name a few.
Call our GDPR Practitioners today
Businesses will also have to be more transparent with what they do with people’s data and will be required to show that they are complying with laws. Data breaches such as hacks, leaks, or illegal selling of data must be reported within 72 hours of the company becoming aware.
Businesses failing to comply with any of the terms can receive a penalty ranging from a written warning to a fine of €100 Million – €200 Million or 4% worldwide turnover (whichever is higher). The British Government has said that it will adopt the General Data Protection Regulation and enforce it despite leaving the European Union but 54% of organisations in the UK have not started any preparation whatsoever.
Do you know what Data you hold?
It’s not just IT that needs protecting. As with the Data Protection Act 1998, documents that are in paper form will need protecting as much as your IT.
Having robust IT system will be essential to being compliant. The GDPR references the need for “…appropriate technical and organisational measures be taken” 10 times. You need to have processes and procedures in place to deal with issues such as removing personal data when it is no longer required, or someone has asked for their data to be removed, and data protection requirements are always considered when updating a process or system that uses personal data.
What do I need to do?
First, find out more about the GDPR principals so you can understand the impact it will have on your business. After this, you should do an audit of all your personal data and determine whether you already meet the GDPR principals and where changes are required to processes, procedures and IT.
Get in touch with our GDPR experts today to find out more.