On the 25th May the General Data Protection Regulations ( GDPR ) comes into force which will change the whole world of how personal data is managed for individuals that live within the EU member states.
The concept behind this is to give people back control of their data which imposes strict data protection obligations on businesses and provides individuals with the right of redress should their data not be managed in accordance with these regulations.
Despite the fact that the UK will be leaving the EU next year, the regulations will apply to UK businesses after which these will then be replaced by the proposed Data Protection Bill that will impose similar data protection regulations.
GDPR is arguably long over due, in the UK we currently have the Data Protection Act 1998, to put this into context at the time that this was implemented , there are analogue television and dial – up internet…. .. The increase in the use of personal data has increased dramatically since then due to the advances in technology and how people interact with the many modes of communication such as social media.
In the UK the Information Commissioners Office (ICO) will monitor and regulate the GDPR. The ICO website provides a guide to businesses explaining their obligations and to help those individuals who have day to day responsibility for data protection within their organisation.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
In order to help businesses prepare for for these new regulations the ICO have published “Preparing for the GDPR – 12 Steps to take now
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
What types of data does this apply to ?
This relates to any information which is personally identifies an individuals and includes the following :-
Names & addresses
Passport Number
National Insurance Number
Photographs
Biometric data such as fingerprints , iris scanning and voice recognition
The Dangers of Non-Complaince
The profile of GDPR is gathering moment and no doubt individuals will wish to be aware of the amounts data that is held against their name. With this will bring about situations where individuals request details and these are unavailable due to non-compliance with business being unable to produce the information at all or within the required time limits.
The other issue and the one with the most significant consequences is where a business suffers a data breach as a result of a hacker attack or an perhaps an error or deliberate act by an employee, the details are then disseminated into the public domain or used for ill gotten gains. The ICO has powers to issue fines of up to 4% of worldwide turnover of a businesses or 20 million Euros whichever is the greater. This is an uplift from GBP500,000 under the current regulations, this therefore represents a significant increase and demonstrates that a serious non-compliance will have severely consequences.
Managing GDPR
It will be essential that the correct processes and procedures are in place and in the event of a data breach it is important that an incident response plan is readily available whether this having been drawn up internally or with the help of a specialist consultancy. The incident response plan will consists of various vendors to help manage the breach such as lawyers and public relations consultants.
A cyber insurance policy provides such resources and is offered by insurers on a 24/7 basis should the policyholder be subject to a data breach.
The management of these new regulations within a businesses is going to be a fundamental focal point going forward with personal at all levels needing to be aware of their day to day obligations in the processing and handling of data.
Image : Shutterstock