The UK’s Data Protection Act was passed almost twenty years ago. Since then, the collection and use of data by organisations, both public and private has changed enormously. Mobile phones now dominate how we receive and assimilate data. Giant corporations like Google and Facebook keep track of your online activities, so they can sell the information to advertisers and governments are demanding ‘big brother’ powers to access citizens’ data to protect people from terrorist attacks.
The GDPR has updated the rules surrounding data protection, and at present, many organisations will find they are not compliant with the new rules. With the regulations coming into force in 2018, companies are being urged to get themselves up to date with the new law and plan to ensure they meet compliance.
Where does the GDPR come from?
The GDPR is an EU law. The government has directed that all business and charities must comply with the new regulations, meaning that after Brexit, they are likely to be transposed into British law.
What happens if my organisation breaches the GDPR?
Penalties for breaching the GDPR are harsh. Businesses can face fines of €20 million or 4% of their revenue, whichever is greater.
What are the main enhancements that the GDPR makes to data protection law?
The main changes which will affect organisations collecting data are as follows:
The GDPR will apply to any
organisation collecting or processing the data of EU citizens, regardless of where the group is located
Organisations must obtain the consent of individuals before they store and use their data and explain how the data will be used
If data security is breached, organisations must notify authorities within 72 hours unless the breach is so minor that it is unlikely to, “result in a risk to the rights and freedom of individuals.”
If someone requests copies of the data held by the organisation, it must be provided. Organisations must also be able to communicate how a person’s data is stored and what it is used for
A person will be able to request an organisation delete all their personal data and to stop sharing it with third parties
Organisations must be able to provide a copy of the data they hold on a person in a, “commonly used and machine-readable format”
Security of data must be built into processes and procedures from day one of an organisation becoming operational
Data controllers and data protection officers must appoint a Data Protection Officer (DPO), who can be independent from the organisation (a contractor) or a member of staff. The DPO will be responsible for data security and ensuring the organisation is compliant with the new regulations.
The GDPR will impact all organisations, especially those who sell their products and/or services online. To
find an experienced IT solicitor about how to prepare your business or charity for the new regulations, search Solicitors Guru