May 25th, 2018 will herald the start of a new age in data privacy when the General Data Protection Regulation (GDPR) is introduced. The GDPR is a new piece of legislation designed to protect the data privacy of EU citizens. It will replace the Data Protection Act 1998 (DPA) in the UK when it becomes law next year.
A lot has changed since 1998, desktop computers and laptops have become mainstream. Mobile devices, email marketing, cloud computing and a vast array of connected devices have also transformed our lives. The GDPR aims to protect individuals’ data in the digital age.
You are probably familiar with the principles of the DPA and may be wondering what will change when the GDPR comes into force. In this article, we will highlight some of the changes to help you make the best data privacy decisions for your business.
Brexit and the GDPR
Although Britain voted to leave the EU, UK-based organisations need to comply with the GDPR when it becomes enforceable in 2018. Also, many UK organisations process EU citizens’ data and will continue to do so after the UK is expected to officially leave in 2019.
DPA – Enforced by the Information Commissioner’s Office (ICO).
GDPR – A Supervisory Authority (SA) will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries.
DPA – Applies only in the UK.
GDPR – Applies to the whole of the EU and any company (globally) that holds data belonging to EU citizens.
DPA – Failure to comply with the DPA can result in fines of up to £500,000 or 1% of annual turnover.
GDPR – Penalties for non-compliance of GDPR regulations are expected to reach $20m or 4% of global turnover – a significant increase.
4. The right to be forgotten
DPA – There is currently no legal requirement for companies to remove the data they hold on an individual.
GDPR – Individuals can exercise their ‘right to be forgotten’ which involves permanently deleting all personal data from company systems.
5. Data Protection Officers (DPO)
DPA – There is currently no obligation for a company to employ a dedicated DPO.
GDPR – Organisations employing 250 employees or more must appoint a Data Protection Officer.
6. Opting in
DPA – Under the current legislation, businesses do not require an opt-in when collecting data.
7. Reporting a data breach
DPA – Under the current regulations, there is no legal obligation for a data controller to report a breach to the ICO or to individuals whose information has been lost or stolen.
GDPR – Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. Organisations are also obliged to report a data breach to the relevant supervisory authority (ICO) within 72 hours of becoming aware of it.
The points above are not exhaustive; they illustrate some of the key differences between the current legislation and the GDPR.
The GDPR is extensive and will require lots of preparation. We recommend you start planning your GDPR journey now to ensure your organisation achieves compliance.
We are ready to assist with information and technology protection requirements your business may have to ensure complete compliance when the GDPR becomes law next year.
For more information on data privacy reform and the GDPR, visit the ICO website.