Understanding the GDPR Regulations

2nd October 2017

Amy Murgatroyd

Back to all blogs

Don’t lose Euro Millions In May

The Data Protection Act has been around for a while and has enshrined in law how personally identifiable information should be stored and handled.  In May next year, the DPA will be replaced by the General Data Protection Regulations (GDPR) which take the existing act and beefs it up, putting more power in the hands of the data subject as to how their personal data is used and also expanding the definition of what counts as personal data.

GDPRAn increase in Data Protection fines

The Information Commissioner’s Office is a watchdog with teeth, already able to order offending organisations to toe the line and impose fines of up to £500,000. When the General Data Protection Regulations become law, the fine cap will increase to €20 Million (roughly £17.5 Million) or 4% of that organisations annual Global turnover – whichever is greater. No matter how you look at it, failing  to take data protection issues seriously will become ruinously expensive, even for organisations with deep pockets. Additionally, aggrieved data subjects no longer need to prove they’ve been hit financially as a result of a data breach, they only need to demonstrate they’ve been caused ‘harm’ which sets the evidential  bar remarkably low.

Take responsibility for Data or you’ll be held responsible

No longer will it be sufficient for organisations to simply be aware of data protection principles, they will be required on demand to demonstrate they comply with them. Organisations with more than 250 employees will be required to appoint an appropriate Data Protection Officer who will need to be skilled and autonomous. Data Processors as well as Data Controllers will be held increasingly liable for data breaches and heavy fines can be issued for not having specified procedures or for making mistakes when following them. There is a requirement to assess what data is collected, why it’s collected and how it is stored, along with making sure mandatory procedures are in place and followed – referred to as the Data Protection Impact Assessment (DPIA) which must be reviewed every two years.

Portability is in the hands of the consumer.

Data subjects are already able to demand access to their personal data and if errors are found, insist on these being corrected. New for the GDPR is the ability to request their information to be provided in a commonly used machine-readable format (such as .xml or .csv files) so that they can access this data and if they so choose, transfer it easily to another service provider. (the right to data portability). Organisations in receipt of a subject access request (the mechanism by which individuals accessed their data) can charge up to £10 in recognition of the cost of providing the data. If practice, this has been adopted as a flat fee. When GDPR becomes law, data must be provided free of charge in most circumstances, so organisations should probably be prepared for an increase in requests.

Don’t just hope no-one will notice

One of the big changes to data-protection rules brought in by the GDPR is that organisations will have an obligation to report data breaches within three days of becoming aware of them. Previously, if staff member ‘A’ accidentally left their unencrypted laptop, containing clients personal information on the train, you might previously have been able to cross your fingers and hope for the best, however, from May, such a loss would have to be reported to the supervisory authorities within three days of being made aware of it. If there is a high risk to the privacy of the individuals who might be identified by the data breach, they’ll have to be notified as well.

GDPR consent must be clear and not assumed

Companies using pages of legalese when asking for consent to process data must reign in the jargon explaining clearly and intelligibly the terms and conditions, rights and responsibilities surrounding data use. Consent must be made transparent, the reasons for collection explained and it should be made easy to withdraw that consent. Additionally, the ‘right to be forgotten’ will be enforced meaning that data subjects can demand that all of their data, including web-based information to be completely and irretrievably expunged.

If the data subject is in Europe, the location of their data is irrelevant

Data can be sent instantly anywhere in the world, so the jurisdiction of the GDPR regulations extends beyond the border of Europe. If the data subject is physically in Europe, then their data, wherever that might be is still protected. If you outsource data processing or call centres to a location outside the EU to serve your customers who are within the EU, you will be liable if that foreign service provider loses or misuses that information.

Forewarned is forearmed – Advice for Employers

While it can seem an age away, it’s important that organisations both large and small get themselves ready for GDPR. Properly looking after the information is no longer something that can be taken for granted and organisations failing to comply are likely to end up being hit very heavily in the pocket. We anticipate a great deal of demand for the new mandatory role of Data Protection Officer as we get closer to the introduction of GDPR. If you’re an expert on data protection law why not talk to us at Strategic People about how to make the step into an exciting new role, or if you’re finding yourself in need of a DPO, we can work with your organisation to help find you the best quality candidates to help you comply with these new regulations. We’ve got your back.