The General Data Protection Regulation (GDPR) aims to reform, modernise and harmonise European data protection law and will replace the Data Protection Act 1998. Any data that can be used to identify an individual (Data Subject) is considered Personal Data and will now also include genetic, mental, cultural, economic or social information. Very little personal data will not fall under the GDPR making it difficult for firms to avoid having to comply with its requirements.
When will it come into effect?
25th May 2018
How could this affect you?
Financially:
The Information Commissioner Office (ICO) will have enhanced scope to penalise firms for none compliance and the consequences of data leakage in the event of a breach, these could be as severe as up fines or penalties of up to €20m or 4% of Global Turnover.
Reputation:
Cyber events such as breach, extortion and issues raised by loss of data are rarely out of the news. A major breach and potential loss of data can result in serious reputational damage, raising customer concerns as to the adequacy of a firm’s processes and data security provisions
Operationally:
All firms will be required to demonstrate that they comply with the new regulatory environment making effective Record-keeping absolutely essential.
Where collecting personal data, a firm must be able to evidence clear and valid consent to the processing of that personal data. It will be more important than ever for firms to explain exactly what personal data they are collecting and how it will be processed and used, and to evidence how this has been achieved.
Data minimisation requires firms not to hold data for any longer than necessary, and not to change the use of the data from the purpose for which it was originally collected. This means firms must obtain fresh consent before they can alter the way they are using data previously collected and have processes to ensure the deletion of data in response to requests from the data subject.
Firms will be required to report any data breach within 72 hours of discovery meaning they must have the processes in place to detect, respond to and report (as appropriate) any data breach. In some cases, it may be necessary to notify all those persons impacted, or potentially impacted, by the breach.
The above provides only a sample of the requirements under the legislation. Full details can be obtained at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
