In my last article, I gave a quick heads-up on the fact that a new set of regulations covering Data Protection have come out of Brussels and that the UK government (and by extension, UK businesses) will have to comply by 25 May 2018. I finished off by saying that Brexit won’t get us out of having to comply and that in any case, we should use the opportunity to get control of your data and demonstrate to others that we know what we’re doing with it.
So, what are the differences between the current Data Protection Act 1998 (DPA) and new GDPR regulations? The following is not a complete list and I’ve missed out some of the details for the benefit of this article.
- The definition of ‘Personal Data’ has expanded to any form of identifier that can uniquely identify an individual e.g. if you record a computer’s IP address and you can identify a person from that, it is covered by GDPR.
- Under the DPA, Subject Access Requests could be carried out for £10. Under GDPR, they have to be processed for free (with some exceptions) and answered within a month.
- The Information Commissioner’s Office (ICO) must be informed within 72 hours of data breaches that risk affecting the rights and freedoms of individuals. The decision on whether a data breach is so serious, the ICO needs to be informed is down to you, but if you don’t tell them, you should be ready to justify your decision.
- Right to erasure – more commonly known as ‘the right to be forgotten’. This right already exists in the DPA but only applies where there is a risk of ‘unwarranted and substantial damage and distress’. In the GDPR, this right has expanded beyond its original limit but is still not a blanket right. You do however, have to justify refusal so if you can’t give a compelling reason for holding onto someone’s data, delete it.
- Data Portability – this is a new right under GDPR – allowing individual to reuse their data. Almost by definition this includes supplying it in a structured, machine readable form.
- Consent – must now be granular, unambiguous, specific to the processing activity you wish to carry out and revocable. Importantly, it can’t be assumed by silence or inactivity and has to work on an ‘opt-in’ basis.
- Fines – currently, the maximum the ICO can fine a company is £500K. This is going to increase to 20 million Euros of 4% of the company’s annual turnover (whichever is greater).
You need to remember that the maximum fine would only be applied in the most serious of cases and probably only those cases where the company at fault is felt to have had the resources to know better. Whatever you do, don’t think that just because the maximum fine has increased by a factor of 35, then all other fines will increase by a factor of 35 too!
This is one of a series of articles on GDPR and where the path lies to compliance. To understand more about GDPR and how I can help you, contact me at firstname.lastname@example.org