In 2018 the European Union’s General Data Protection Regulation (GDPR) will come into force and UK companies doing business in Europe will therefore need to be prepared in order to ensure compliance.
With this in mind what kind of things should you be thinking about in order to ensure that your company stays on the right side EU data protection law?
Experts on data protection are now urging companies who have not many any real efforts to seriously look at how they will manage their data assets in accordance with GDPR to act now in order to meet the many new challenges. A recent Computer Weekly article highlighted 5 main areas where the new regulations show significant changes:
- Data Breaches. Whereas breaches now only tend to be made public when exposed by the media which may also be weeks or months after the breach takes place, GDPR means that a personal data breach must be reported within 72 hours of the company becoming aware of it.
This will apply to security breaches that have resulted from the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”. In the UK organisations should currently notify the ICO within 24 hours of knowing the facts, or face a fine. Preventing and spotting data breaches is already a significant challenge that all organisations should take seriously in order to maintain stakeholder confidence, keep customers, and protect the organisation’s reputation.
- Appointing a Data Protection Officer. Under GDPR any organisation involved in profiling of individuals will have to appoint a Data Protection Officer (DPO) who needs to have expert knowledge of data protection matters and laws, and needs to be able to carry out tasks according to Article 39. The appointment of so many DPOs obviously means that there will be an impact on company staffing, and Eurostat estimates put the likely required number of DPOs to be appointed in Europe in the next 2 years at 28,000.
- The need for consent. The GDPR will mean that the Data Controller in an organisation will have to be able to prove that people e.g. customers have consented to the processing of their data for specified purposes. This will mean building in a system whereby there is always active acceptance of the terms and conditions by the user.
- Controls on transfer of personal data. The GDPR contains measures intended to protect EU citizen’s data once it’s moved outside the EU. This means for example that international organisations who use the personal information of EU citizens, or any organisation that uses the information 3rd hand will need to comply with special data transfer rules.
- Big fines for not complying or getting things wrong. There will be a strict penalty structure that is designed to impose penalties that are “effective, proportionate and dissuasive” and could even mean fines into the tens of €millions, or percentages of 2 to 4% of turnover certain data security breaches.
What Does This Mean For Your Business?
Your business will need to make sure that it fully understands exactly how it should be processing and handling the data of EU citizens and how this will impact upon your processes. You will need to appoint a DPO with means someone in your organisation (if it isn’t the case already) will need to be very familiar with all aspects of UK and EU data protection laws and regulations.
You will also need to ensure that specific consent is built into data gathering, and that this can can be proved. This could mean changes in processes and focusing resources on making sure that this area of business is managed correctly.
An audit of your data security measures in the light of GDPR may be also be sensible and you may choose to seek professional help and / or to gather information and allocate in-house responsibilities now to ensure that your business is fully ready to meet its obligations and responsibilities.