A new data dump?
General Data Protection Regulation (GDPR) is a widely encompassing data protection ruling developed by the EU which will come into effect on May 25 2018.
All companies in the EU and UK that participate in any form of data collection and storage of personal information will be impacted by the forthcoming regulation.
The current data protection regulations were established in the 1990s. While they will remain in effect until GDPR is enacted, the need for an update has been a long time coming. EU member countries have been operating under both EU regulation and their own national laws for data protection, and this dual regulation will continue. Companies in EU countries will need to comply with both GDPR and national laws for data protection.
What about Brexit?
Although the UK has developed their own Data Protection Bill, the regulations are largely the same as the GDPR. This Data Protection Bill (which still needs to pass through the House of Commons and the House of Lords) will be overseen by the Information Commissioner’s Office (ICO).
Who will be impacted by the GDPR?
Anyone who gathers or processes personal data will be governed by the GDPR. This includes individuals, organisations, and companies. Personal data means any information that can be used to identify someone. This covers all methods of identification from an individual’s IP address, name, and address to their political views, sexual orientation, and everything in between. Even identification by a pseudonym is considered personal data that must be protected.
All industries must be aware of the increased risk of liability for a breach in data that may impact any individual about whom they retain or process personal data. This is the case in Europe where some countries like France and Italy have already determined that directors can be liable for failing to take reasonable precautions to protect the data their companies collect. It is possible that this will also be the case in the UK should a director fail to sufficiently prioritise cyber security.
What are the highlights of the GDPR?
The GDPR increases the rights of individuals to access their personal data while simultaneously increasing the responsibility of companies to ethically gather and protect personal data. Many businesses already have strong data protection policies. In these cases, the GDPR can be viewed as an extension of current regulations. For those who are not yet in compliance, they face greater accountability for their policies and actions regarding data protection, and significantly higher fines for failure to comply.
Data breaches that may negatively impact individuals must be reported within 72 hours of discovery. Companies with more than 250 employees must show strong policy regarding the collection, processing, and holding of personal data. Any organisations that participate in large scale data collection or processing will need to have a data protection officer (DPO) on staff. In addition, consent for data collection must be via an “opt-in” process, and businesses must be transparent with individuals regarding consent.
The practice of charging £10 to anyone requesting their personal information from a business will be terminated, allowing everyone to request this information for free. These requests must be fulfilled within one month. Companies must also confirm if they are holding personal information about an individual when asked. Under certain circumstances, companies must remove data when requested by an individual. These changes allow people greater control over their personal data.
Under the new regulations, fines for noncompliance have been significantly increased. Although the ICO claims that fines are to be used only when compliance cannot be achieved, the threat looms for many companies.
What should businesses do?
If your business or organisation currently complies with data protection regulations, there may not be a great deal of change required. However, those without data protection policies and procedures must take appropriate measures to comply. In the UK, the ICO has published a guide detailing steps organisations must take to prepare for the new regulations. The EU has a helpful website that details the information regarding GDPR and ways to prepare for its arrival.
The changes from previous regulations are steps along a reasonable path, and will increase trust between consumers and the businesses that hold consumer information. The GDPR continues along the way of past regulations but with additions that encompass the need to hold companies accountable for data protection, and provide greater rights for individuals regarding their personal data, as well as updates related to new and changing technology.
Companies with data protection officers should check they have D&O policies that include the role of the DPO.
Plus Risk specifically cover DPO's as standard in our policy form.
This coverage will become more commonplace as issues of data protection and cyber security become a greater priority.