The enforcement of the General Data Protection Regulations ("GDPR") brought in major changes on how the personal information of EU residents was handled. It gave them greater rights over their personal data. GDPR has radically changed the steps businesses must take to protect personal data, applying to any organisation that handles it, regardless of whether they are EU-based or not.
Ignorance is no defence for failure to comply and there are significant penalties for non-compliance. The ease and sophistication of collecting, storing, moving and accessing data - including sales, CRM and marketing - has allowed cybercriminals to take advantage; UK companies lost more than £1bn to cybercrime in 2016 alone. Data breaches give access to names, birthdates, addresses, social security, bank accounts and pension information. The Cambridge Analytica scandal is a prime example and why many legal commentators believe that this overhaul is long overdue.
GDPR means consent.
Organisations must now keep a thorough record of how and when an individual gives consent to store and use their personal data. No more pre-ticked boxes; if you control the processing of personal data you must show a clear audit trail of consent including screen grabs or saved consent forms.
Individuals have the right to withdraw consent at any time and have their details permanently erased and not just be deleted from a mailing list. They now have the right to be forgotten, so can legitimately demand, for example, that social media companies erase any posts they made during childhood. Organisations are now forced to know exactly what personal data is held, where it is stored or located and they must have procedures in place to ensure complete removal when a request is made.
GDPR also means breach management.
Privacy by design and default is the cornerstone of GDPR. If there is a data breach then organisations must inform the authorities within 72 hours. In the UK this is the Information Commissioner`s Office. In the event of a data breach organisations must give full details of the breach and proposals to mitigate it`s effects. Systems must recognise and act on breaches as soon as they happen and incident recovery plans put in place to deal with the repercussions.
Failure to meet the 72 hour deadline could result in fines; a penalty of up to £10M or up to 2% of annual global turnover, whichever is higher.
GDPR means right to access.
People can now access any of their stored personal data and organisations must be clear about how and what they collect, for what purpose it is used and how it is processed. Plain language must be used to convey this and secure, direct access to review what information is stored must be provided. Such requests must be responded to within 4 weeks.
Before GDR the Information Commissioner`s Office could issue a maximum penalty of £500,000. Failure to follow the basic principles of data processing without having a legal basis for doing so can result in heavy fines: data protection authorities can now issue penalties of up to £20M or 4% of an organisation`s annual global turnover, whichever is greater.
GDPR means UK law GDPR is considered a key pillar to the future success of the digital economy and embedding it helps to allow data to continue to flow, uninterrupted, between the UK, the EU and other countries around the world.
GDR requires all new business products and processed that may involve personal data or impact upon the privacy of an individual to be designed in accordance with these regulations. All organisations must consider the impact that processing personal data can have on an individual`s privacy.
