General Data Protection Regulation or GDPR
The EU’s new General Data Protection Regulation or GDPR is an expansion and development of previous data protection law. At present the UK relies on the Data Protection Act 1998 but things have changed significantly since this time. The new legislation introduces harsher fines for non-compliance and data breaches, and it also gives people more rights to their personal data.
The GDPR is a way for the EU to make a simpler and clearer legal environment for businesses handling volumes of data. It will come fully into force from 25th May 2018. It is applicable to all EU member states, but the UK is also affected.
The UK actually passed its own data protection legislation in September 2017 and it implements the majority of the GDPR in the UK.
Does GDPR affect my Business?
All businesses that control and process data must abide by the GDPR legislation. Your business needs to have a data controller who states how and why personal data is used. Data controllers have full responsibility for ensuring all data processed is compliant with data protection law.
Almost every business will be impacted by GDPR. If your business is currently effected by the Data Protection Act, then the same will apply to the GDPR.
Personal data and sensitive personal data come under GDPR. It is relevant to the smallest start-ups and also the largest companies.
Accountability and Protection against Breaches
Companies affected by the GDPR will see themselves much more accountable for data breaches. Their handling of personal data and sensitive personal data has to be properly managed and stored. Companies may want to review their data protection policies. It may also be worthwhile considering data protection impact assessments and fully auditing record keeping within your business.
Data breaches are becoming increasingly common. Companies such as Equifax, T-Mobile and Yahoo experienced breaches within the last 12 months. Smaller companies also need to be vigilant. The GDPR states that “destruction, loss, alteration, unauthorised disclosure of, or access to” personal data must be reported to the country’s data protection regulator. In the UK we have the ICO and they require notification within 72 hours of an organisation finding out about a breach.
The ICO has prepared some information about the GDPR with more expected before the regulation comes into effect in May 2018. All professional business owners should ensure they have a good understanding and are prepared for the regulation before this tim