Part 1 of 3
The EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018, has serious consequences for every business – no matter the size. Any organisation that stores and handles personal data will have to adhere to the new regulations. As a consumer it is good news as it will empower people to take control of their data. For businesses, however, it is going to cause a headache. And there’s no denying it, it’s quite complicated.
Consent, accountability and data breaches are the key focus points of the new regulation, and every organisation needs to make sure that it complies with the legislation to avoid being penalised. The Information Commissioner’s Office (ICO) will have the power to impose fines much bigger than the £500,000 limit the Data Protection Act currently allows. Under the new GDPR law, the fines can amount to £17 million (€20) or 4% of turnover.
These figures are causing much consternation within businesses, and rightly so. However, it needs to be pointed out that this will only be applied in extreme cases where there has been a serious data breach or the organisation has completely failed to address data protection, as Information Commissioner, Elizabeth Denham, pointed out on her ICO blog:
“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned. Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously.”
What is more worrying, however, is that, according to the latest Aldermore small and medium sized business owners (SMEs) Future Attitudes study, nearly half (46%) of all small and medium sized business owners have not heard of GDPR and less than one in ten (9%) SME owners in the UK fully understands what the forthcoming General Data Protection Regulation actually means for their business or have taken the appropriate steps to prepare themselves for it.
But What About General Data Protection Regulation and Brexit?
A great deal has changed since the Data Protection Act came into force in 1998. Digital technology and the storage and manipulation of data has increased tenfold, making existing data rules completely out of date. In order to comply with the impending European regulation, the new Data Protection Bill, which was announced in the Queen’s Speech in June, will replace the Data Protection Act, and incorporate the GDPR into national UK law.
Although the UK is on course to leave the EU, as an existing member state, the GDPR had to be written into the Bill and adhered to. Following Brexit, any organisation that wants to continue exchanging data with customers and contacts in the EU, which is most, will have to demonstrate compliance with GDPR as Jon Baines, chair at the National Association of Data Protection and Freedom of Information Officers, explained to Infosecurity Magazine.
“When the UK leaves the EU under Brexit, and if we don’t remain a member of the EEA, we will become a ‘third country’ for the purposes of GDPR, and we will need to have adequate domestic data protection law in place to enable the free flow of personal data between us and the EU. If the European Commission decides that this new UK data protection law is inadequate, it will make these cross-border transfers of personal data very tricky, which would have the potential to adversely affect trade deals, and drive up costs for business and consumers, as well as potentially hindering cooperation in criminal justice and national security matters.”
Download and use our GDPR Compliance Checklist and Workbook to carry out a self assessment of the data that you hold to determine what you need to put into action in order to comply with the new GDPR requirement.