What changed on 25th May 2018?

A lot. Apparently.

The EU General Data Protection Regulations (GDPR) are widely regarded as the biggest ever shake up of data protection laws. The new UK Data Protection Act 2018 also came into force on 25th May 2018 and contains specific UK requirements as well as EU GDPR.

The new regulations are designed to give EU citizens control of their data.

The GDPR will require organisations to re-think their approach to data privacy and security, to reduce the business and reputational risks from non-compliance.

GDPR is all about data. Personal data.

It defines what constitutes personal data; how an organisation should deal with that data; and awards a number of rights to individuals about how their data is managed.

DATA PRIVACY + DATA SECURITY = DATA PROTECTION

…this is no longer just an IT security problem

From 25th May 2018, the Information Commissioner’s Office (UK regulator) has the powers to:

Order you to stop processing personal data.
Impose significant fines for breaches from non-compliance.
Instigate criminal proceedings.

So, what has changed from the existing regulations?

Who has not heard about the increase in fines… ? The regulator now has teeth. Large ones. Up to Euro 20m or 4% global annual turnover-sized teeth. Ouch!

The differences between the previous Data Protection Act (1998) and EU GDPR are described in detail on the Information Commissioner’s Office (ICO) website, a snapshot is below.

The most significant addition is the accountability principle.

The GDPR requires you to show how you comply with the principles, for example;

Having trained staff
Having a demonstrable understanding of the data you process
By documenting the decisions you take about a processing activity
Having operational procedures in place

The Data Controller is accountable for failures of any data processing and equally liable with the Data Processor e.g for data breaches.

This is a rather unwelcome change in liability for Data Processors.

Some details on the changes:

You may need to appoint a Data Protection Officer to provide advice and:

Monitor your organisation’s compliance with the Data Protection regulations
Be the main point of contact with the Information Commissioners Office (www.ico.org.uk)

Rights of an Individual:

• Consent is needed for every data processing activity, if no other lawful basis applies.

• He/she must give explicit consent.

• Has direct access to their data in the enterprise, e.g. web portal.

• Right to claim compensation for damage caused by data breaches.

• Right to rectify, erase and block incorrect data.

Notification of data breaches:

• When a personal data breach has occurred, notification to Supervisory Authority is to be within 72 hours.

• Penalties are proportionate to the compliance failure:

• Higher level – up to Euro 20m or 4% global annual turnover.

• Lower level – up to Euro 10m or 2% global annual turnover.

Pseudonymisation and encryption of personal data is advised:

• Using pseudonymisation can reduce the risk to an individual.

• Implement appropriate technical and organisation protection measures to protect the personal data, e.g. Pseudonymisation / Encryption.

Cross border data transfers:

• Need consent from an individual before transmitting data to other countries outside EEA.

• Only transfer the data to other countries if they have adequate data protection laws to protect individual data.

Children’s personal data:

• Children under the age of 16 years old* cannot provide their consent to data collection or data processing.

• Parental or authorised consent is required for children under the age of 16 years old* (see guidance from ICO).

• Whenever a direct counselling service is offered to a child about data privacy, consent from parents is not necessary.

* 13 years old in the UK for certain services

If you need help with becoming GDPR compliant, contact us and we’ll be delighted to help.

WE VALUE YOUR PRIVACY