Every business relies on databases to store and organise personal information. Whether you keep customer records and order details, or obtain targeted B2B marketing or direct mailing lists from professional data suppliers such as Selectabase, managing a large quantity of personal data is likely to be at the heart of your operation.
When does the new law come into force?
At the moment, data protection is governed by the Data Protection Act 1998 but this is set to change. From 25th May 2018, the General Data Protection Regulation (GDPR) will become law across the European Union, including the UK, providing a far more comprehensive framework for data collection, processing and storage by organisations. Under GDPR, personal data is defined as ‘any information relating to an identified or identifiable natural person’ which includes online identifiers such as web cookies and IP addresses.
Not only will this new legislation have more, and more detailed, requirements for storing personal data and better information governance, there will be strict sanctions for businesses and organisations that fail to put in place robust cyber security measures.
What are the changes?
- Strict fines
GDPR legislation requires organisations to protect personal data from unauthorised processing, accidental loss and destruction. Most importantly, the level of fines that can be imposed on businesses that have suffered a cyber security breach ‘leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (GDPR, Art. 4, Def. 12) have risen sharply.
Fines of up to €20 million or 4% of global turnover, whichever is greater, can be imposed for the most serious offences, such as breaching basic data protection principles or international transfer restrictions.
Fines of up to €10 million or 2% of global turnover, whichever is greater, can be imposed for less serious offences, including failing to maintain a data processing register.
- Accountability requirements
GDPR places much more emphasis on accountability than was the case under previous legislation. Organisations will need to ensure that their existing policies and record keeping measures are able to satisfy the new requirements.
Data controllers and processors must now demonstrate how the new data protection principles are complied with. This includes comprehensive data governance measures to safeguard personal data and minimise security breaches, as well as setting up data processing registers. Any data breach that constitutes a risk to individual data subjects must be reported within 72 hours of being detected.
In particular, companies are required to carry out privacy impact assessments for high risk processing along with steps to ensure that data protection is treated as an integral part of company operations, not as an afterthought.
- Role of data processors
Under GDPR, data processors will have specific obligations such as the implementation of security standards, appropriate record keeping and reporting of a breach to the data controller. Unlike under current legislation where the data controller assumes responsibility for any breach committed by the processor, data processing staff will be directly exposed to regulatory fines or private claims.
Where data processing involves regular, systematic and large scale or public sector data monitoring, a designated qualified Data Protection Officer will need to be appointed.
- Data subjects
Where data processing requires consent, evidence needs to be provided to show that such consent was given by the data subject. The opportunity and process of withdrawing consent must be made just as easy as that of giving consent. Since GDPR has no provision for ‘grandfathering’, all data and pre-existing consents will be subject to the new rules.
Organisations will need to ensure that processes are put in place to comply with extended rights of data subjects including the right to have personal data deleted, the right to restrict processing and the right to data portability.
Who will need to comply with GDPR rules?
The new data protection laws apply to every organisation across the EU member states that processes personal data. GDPR will also affect third parties including cloud service providers who handle and/or store data for their clients. What’s more, even businesses located outside the EU must comply with the new rules if they supply goods/services to customers inside the EU or monitor the activity of individuals within the EU.
In the light of the Brexit negotiations, the government has confirmed that GDPR will be implemented across the UK and it is expected that compliance with the new laws will continue after the UK has left the European Union.
If you’re in business in the UK, you should take a good look at how your company interacts with personal data at present, and take all the necessary steps to prepare for the new GDPR rules coming into force next year.