A brief overview of the forthcoming data protection changes
May 25th, 2018 will see a seismic shift in data protection with businesses in the UK required to comply with a whole raft of new regulations. General Data Protection Regulation (GDPR) will replace the current Data Protection Act (DPA) and seeks to unify data regulations within the EU whilst giving the man and woman in the street greater control over their personal information.
It should be noted although GDPR is an EU initiative Brexit will not affect the introduction of the new regulations into the UK.
What will change?
GDPR will greatly increase scope, accountability and liability compared to the existing DPA regulations. Businesses need to be aware of several major changes and, though May 2018 is still far on the horizon, it makes sense to begin preparing for the switch as soon as possible.
One of the biggest changes from DPA is GDPR will apply not only to all businesses inside the European Union, including the UK, but also to organisations elsewhere in the world which process the information of EU citizens.
The new regulations, which will be standardised throughout Europe, will be administered by a new Supervisory Authority in each country.
Under GDPR there will be an absolute requirement for consent to be given for all data collection with comprehensive and transparent privacy notices to ensure people are fully aware of what they are opting in for. Crucially, the business must be able to prove consent was given.
It is this principle of consent which is fundamental to GDPR. It will be a legal requirement that any data breeches be notified to the Supervisory Authority within 72 hours; again a significant departure from DPA which only encouraged such notifications to be made.
The accountability principles within GDPR places the onus of compliance squarely on the shoulders of individual businesses. Each business must be able to demonstrate they comply with the regulations and it is their responsibility alone to ensure they do so.
Being able to demonstrate compliance with GDPR will be a major task for businesses of all sizes. Some key areas will be:Companies with over 250 staff must appoint a Data Protection Officer. This is a significant departure from DPA and the DPO will act as a first point of contact as well as monitoring and ensuring compliance with all regulations
- The business must put in place appropriate staff training and carry out internal audits and reviews
- Must provide transparent privacy policies
- Maintain records of processing activities
- Carry out Data Protection Impact Assessments
The new Supervisory Authority will have enhanced powers to impose far greater financial penalties for non-compliance or breeches of the regulations. Under DPA firms could be fined up to £500,000 or 1% of annual turnover. However, under GDPR those penalties significantly increase to fines of up to €20million or 4% of the businesses global turnover.
Those potential penalties should galvanise every business to ensure they meet the compliance criteria for GDPR.
Keep up to date with GDPR with Ebuyer
In the coming months, leading up to May 2018, we will running a series of articles on the Ebuyer blog building on this introduction to GDPR. In the meantime, more information General Data Protection Regulation is available from the Information Commissioner’s Office.