GDPR what every UK business needs to know
What is GDPR?
The sheer amount of data traded between businesses across Europe continues to grow exponentially. However, the EU’s members have disparate laws when it comes to how that data is protected.
In 2012, the European Commission announced the proposal of “a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy”. This, in turn, became known as General Data Protection Regulation (GDPR) and it came into effect in 2018. The key objectives of GDPR, as set out by the EU, are as follows:
- A harmonised pan-EU regulation, replacing the existing patchwork of myriad national regulations
- An improvement of the current system of binding corporate rules for a safe transfer of data outside the EU
- A regime allowing better control over an individual’s data
That last point means all EU citizens will have greater control over their digital data including what that data will be used for.
Facts and figures
May 25, 2018 – The date that GDPR was implemented across the EU, which superseded the UK’s Data Protection Act.
£500,000 – The current maximum fine that can be imposed by the Information Commissioners Office. TalkTalk was fined £400,000 in October 2016 following the theft of personal data involving 168,000 of its customers. In August of this 2017, Islington Council was fined £70,000 for failing to keep the information of 89,000. Penalties can also be issued to individuals. In fact, a number of former NHS employees have been found guilty and fined after accessing medicals records without prior consent.
€20m – The maximum fine that could be imposed upon a business for failing to protect its data. That fine could either be €20m or 4% of a company’s global turnover, whichever figure is higher. Even though these figures would only apply in exceptional cases, the fines will still be significantly higher than anything previously handed out by the ICO.
72 hours – Otherwise known as Article 33. This part of GDPR potentially poses the most challenges for companies across Europe. When a business finds out that a data breach has occurred it will have 72 hours to notify the national data regulator and everyone affected by that breach otherwise it could be liable for a fine. This is designed to make companies have better structures in place to deal with such a problem.
91 – the percentage of IoD members who regards cyber security as an important issue. However, only 57% said they had a formal cyber security strategy.
Post Brexit – The date the UK leaves the EU. However, GDPR will continue affect all UK businesses that offer any type of service to individuals in the EU and collects or processes an EU citizen’s personal information.
An article published by the Law Society helps to further clarify the situation on GDPR and Brexit and states that “GDPR does not need to be ‘signed into British law’ while the UK remains a member of the EU. Post-Brexit, it will still be the law (until the government decides to replace it) because of the provisions of the European Union (Withdrawal) Bill.”
The IoD’s Information and Advisory service provided the following checklist of what UK businesses should do to be ready for GDPR:
- Continuity plan for data breaches.
- Ensure accountability for data breaches is understood by all your staff.
- Ensure you design privacy into your products and services
- Consider the legal basis of how you use your data
- Check you have appropriate privacy notices & policies
- Be prepared for subject data requests from hold personal information about
- Consider and agree who is responsible when data is transferred or processed
- Set up a framework that ensures you have a legitimate reason for transferring personal data.