Lawful basis for processing under the GDPR
Although not new, the lawful basis for processing under the GDPR places more emphasis on accountability and transparency relating to how your organisation processes data.
The six lawful bases are similar to the old conditions for processing, although there are some differences – the ICO website contains more information on lawful processing.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
You can read more about individuals rights on the ICO website.
Time to report a data breach
Under the 1998 Act, organisations have one month to report a data breach but once GDPR is enforceable, this period will reduce dramatically. Once a data breach has been detected, organisations will have 72 hours to investigate the violation, let the regulator know what’s happened, figure out if personally identifiable information (pii) has been compromised and have a plan to manage the threat.
Unless there are technical controls and a robust information security policy in place to mitigate the threat of a data breach, many organisations will struggle to meet these demands.
Data Protection Officer
In some circumstances, organisations must appoint a Data Protection Office (DPO). You must appoint a DPO if you:
- are a public authority (except courts acting in a judicial capacity)
- carry out large-scale systematic monitoring of individuals (e.g. behaviour tracking)
- carry our large-scale processing of special categories of data or data relating to criminal convictions or offences – at this time, there is no numerical definition of “large-scale processing.”
You may appoint a data protection officer to act for a group of companies or a group of public authorities – depending upon size and data processing requirements.
Any organisation can appoint a DPO. Our Technical Director, Neil Douglas is a qualified GDPR Data Protection Officer and is always free to chat regarding your DPO or GDPR requirements.
The maximum penalty for suffering a severe data breach under the Data Protection Act 1988 is £500,000. Mobile telecoms company, Talk Talk received a £400,000 fine for failing to prevent a serious data breach back in 2015. –
Penalties under the GDPR are far more severe. A maximum fine of €20 million or 4% of global annual turnover for the most severe data breaches is on the cards. However, we don’t expect the Information Commissioners Office (ICO), the UK’s governing body to impose the maximum fine as it hasn’t done so under the existing regulations – that’s not to say they won’t impose sizeable penalties.