With GDPR officially coming into force on May 25, 2018. We asked Cally Shanley, Business Solutions Consultant and GDPR specialist to explain what this means:
Spam and identity fraud are two elements of modern day life that have evolved from the enormous growth in electronic data storage and sharing that we have experienced over the past two decades. The Data Protection Act 1998 offers some protection, however, it sits under an EU directive. The GDPR (General Data Protection Regulation) is set to give more control back to the data subject aka “You” as it is a regulation (law) applicable to the personal data of any EU citizen, regardless of where the data is held. However, if you engage in economic activity and store or process personal data belonging to EU citizens, then you too are subject to the new regulations set to come into force on 25th May 2018.
What is personal data?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This includes anything that could be used to identify an individual and extends to data such as IP address or phone number. Sensitive personal data now also includes genetic and biometric data, which could uniquely identify an individual.
What will happen after Brexit?
The Queen’s Speech has confirmed that the General Data Protection Regulation will form part of UK law following the country’s withdrawal from the European Union. The Speech noted that “Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
Who is accountable for data protection?
GDPR recognises two main categories of data management and depending on which role you fulfill, your responsibilities can be different.
● A controller determines the purposes and means of processing personal data. Article 5 from the GDPR states “the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to the processing of personal data. These are lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”
● A processor is responsible for processing personal data on behalf of a controller. Article 28 from the GDPR states “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
This means that if any EU or non-EU company wants to stay in business, controllers or processors will have to implement the necessary controls to ensure that they comply with EU GDPR because the fines can be applied to both controllers and processors. According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”
What are the fines involved for non-compliance?
This is why GDPR has caused so much media and business interest. Under the current Data Protection Act 1998, the maximum fine imposed is set at £500,000. The GDPR enforced in the UK by the Information Commissioner’s Office (ICO) could impose fines of up to €20 million, or 4% of Global turnover (whichever is higher). Individuals could also seek compensation for damages suffered as a result of infringement of GDPR.
What do I need to do?
The ICO has provided these useful checklists which enable you to understand and assess your organisation’s readiness for GDPR. It is critical for all organisations who have not already begun to examine the impact of GDPR on their business that they start now.
Useful further reading: