The new General Data Protection Regulation (GDPR)
5th October 2017
The media is always full of reports around data breaches and cyber security, but the laws relating to the data your business keeps and how you store and protect it are changing?
The new General Data Protection Regulation (GDPR) will come into UK law on 25th May 2018 to replace the current Data Protection Act (DPA) 1998.
The GDPR will have a significant impact on businesses by requiring them to review and transform the way they currently process any personal data. To meet the new requirements a much more active approach to the governance of the personal data they process will need to be adopted.
With increased fines of up to 20 million euros or 4% of global turnover, it is essential that businesses are aware of GDPR and the things they can and should be doing now to prepare for it.
Why is data protection law changing?
The European Union (EU) has agreed the new GDPR following a review of data protection law, to address significant advances in IT as well as fundamental changes to the way in which individuals and organisations communicate and share information. It will also remove inconsistencies in data protection across the EU.
What should businesses be focusing on?
The GDPR broadly builds on the existing concepts and protections in the current DPA. The following are the important areas that are changing:
- Lawful processing – The GDPR introduces stricter requirements for valid consent which mean businesses will need to identify and rely on other grounds to ensure they have a legal basis for their processing of personal data.
- Accountability – Organisations are required legally to be able to demonstrate compliance through policies, procedures, training and record keeping.
- Transparency – Better and more comprehensive explanations of why data is being collected and how it will be used
- Data Subject Rights – Requests to see personal files (Data subject access requests) must be complied with within one month and must be dealt with free of charge
- Breach reporting – Significant data breaches (losses or unauthorised access) must be reported to the Information Commissioner (ICO) within 72 hours
- Penalties – The current maximum fine of £500,000 will be replaced by fines of up to €20 million or 4% of global turnover, for breaches of the data protection principles, conditions for consent or data subject access rights.What benefits can compliance bring?It is important to plan ahead for the proposed changes in regulation, leaving it until April 2018 is not an option unless you have plenty of spare capacity and resources to dedicate. There are many organisations offering guidance and support at the moment, and while reviewing your company’s data storage and usage may seem daunting taking the first few steps now is the best advice. Further support can be found:
- GDPR compliance brings a great opportunity for all Businesses to build a healthier, more effective relationship of trust with customers and employees in relation to how they process personal data.
A webinar on GDPR – how prepared is your business? 12th October @ 10am presented by Mentor
Click here for NatWest invite
If you register for the above but cannot make the time, the recording will be available for 90 days for you to listen to at your own convenience.
And from Surrey Chambers of Commerce:
Join us at our GDPR breakfast on the 8th December at Kempton Park Racecourse, with GDPR expert Linda Bazant. For more information or to book on