The GDPR deadline is fast approaching
In less than 60 days, the new General Data Protection Regulation (GDPR) will be in force. These new rules are designed to amalgamate the regulations across the EU as well as other countries around the world. Ultimately, this means greater protection for personal data.
The UK’s decision to leave the EU will not have an effect on the incoming regulations, and the Information Commissioners Office (ICO) have confirmed the changes will come into force on the 25th May 2018.
The new regulations recognise the changes that have been made to personal data, and how it is used and processed over the past 20 years since the Data Protection Act (1998) (DPA) was brought in. With more and more information being processed online, and more data available to businesses, it is vital that these companies do all in their power to ensure data is kept safe and secure.
Below, you will find information of some changes that will affect your business.
The maximum fine for a breach has been greatly increased to €20m or 4% of Global annual turnover, whichever is the greater. Although these are maximum fines, it does outline the significant increase in the level of fine for a major breach.
A Data Protection Officer:
It will now be mandatory for some businesses to have a dedicated Data Protection Officer (DPO). If you are a public authority, or for some businesses carrying out certain types of processing you will require a DPO. If your business carries out data processing on a large scale and is a core activity of your business, then it is likely you too will need to appoint a DPO.
The DPO can be an existing employee but must be independent and able to give expert data protection advice.
It is now compulsory for all organisations to report certain types of data breaches. This must be done within 72 hours of becoming aware of the breach and is the responsibility of data controllers. Failure to notify the ICO of a breach, can result in heavy fines up to €2m or 2% of annual global turnover, as well as any other fines placed on the firm.
Whilst 72 hours is little time to investigate and therefore know if the potential breach was or wasn’t a breach, the ICO will allow further time for the firm to carry out an investigation. However, it is still a requirement to notify the ICO, and then continue to provide the ICO with information about the investigation.
The right of data portability:
Under the new rules, the data subject is now allowed to request all of the information held on them in order to use this information and to transmit this to another data controller. This seeks to allow individuals to obtain and reuse their information across different services.
Whilst a subject access request is not new, firms are no longer allowed to charge for this. If a data subject requests a copy of their information, this must be provided free of charge, in a timely manner (at least within one month) and available on a machine-readable format that also ensures data security.
The lawful grounds for processing:
There are 6 lawful reasons for processing data. As a firm, you must establish which lawful reason you have to process a persons data and outline this in the privacy notice.
The lawful reasons are listed below, and more information can be found on the ICO’s website.
In addition to the reasons for processing, individuals have further rights. There are however some exceptions highlighted in the table below.
Other rights of the data subject are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Still struggling with some jargon? Hopefully our jargon buster will help out.
For more information on the new regulations, visit the Information Commissioners Office here. If you would like to talk to an insurance adviser on how we can assist you in protecting your data, then call us today on 01952 812380 or email us on firstname.lastname@example.org. For further information then read our other blogs on the GDPR here.