Making Business Efficient for Business Transformation
Key Changes in the GDPR from the DPA 1998" srcset="https://www.avinashbusinessconsultants.com/wp-content/uploads/2018/12/Avinash-Business-Consultants-Logo-2019.png 463w, https://www.avinashbusinessconsultants.com/wp-content/uploads/2018/12/Avinash-Business-Consultants-Logo-2019-300x73.png 300w, https://www.avinashbusinessconsultants.com/wp-content/uploads/2018/12/Avinash-Business-Consultants-Logo-2019-320x78.png 320w" sizes="(max-width: 463px) 100vw, 463px" />
Key Changes in the GDPR from the DPA 1998" />
Key Changes in the GDPR from the DPA 1998">

Sudha Mani

Sudha Mani is Entrepreneur, Management Consultant and IT Strategist. Sudha helps organisations and businesses to leverage technology to increase productivity and profits. She has more than 22 years of experience in public, private and finance domain. She also speaks on technology, business and soft skills topics.

5 Key Changes in the GDPR from the DPA 1998

The EU General Data Protection Regulation – GDPR is well-rounded which covers the Data Privacy Management and Individual rights of EU citizens extensively. The GDPR is coming or came into effect on 25th May 2018 depending on when you read this article.

All businesses who do business with EU established companies in EU, and anyone who is doing business with EU must be compliant.  Otherwise, there will be substantial penalties.

Now, there has been working EU Data Protection Act (DPA) in 1995. Why bother with new regulation and enforce on business? The GDPR supersedes 1995 EU data protection directive.  GDPR and Brexit – This is first EU legislation directive that the U.K. will adapt when Brexit happens.  This regulation applies to all businesses; profit or non-profit or charities or solopreneurs.  I have seen many Small business owners and GDPR has not aligned yet.  Many don’t even know that they need to compliant.

Cyber Attacks

Many organisations have been somewhat irresponsible with the personal data collected from their customers and clients; not intentionally in many instances.  There are no clear systems or procedures in place to delete the personal data acquired from the client.  There was freedom of information act and data protection officer will look into it to provide the information within a stipulated time to the requestor, but this was not consistent. We have seen many authority organisations including government systems, banks and many private organisations which were responsible for data breaches in recent years.  This article in CNN talks about just the ten data breaches. There are many organisations we don’t even know that breaches had happened because they are not high profile players in the society.  Many cyber attacks are not reported correctly promptly to the data owners (that’s us) and auditing authority.  The Cyber attacks happen because of system vulnerability within the organisations.  Many leaders and managers don’t know how to handle the attack after it has happened. Some take years to report to relevant authorities of what had happened. The massive fines or penalties for not having Data handling and reporting procedures and failure to report data breaches will bring some regulation within organisations who handle the personal data.

Let us have a look at the five fundamental changes in this new General Data Protection Regulation – GDPR.

1. Boundary has changed
Current DPA 1998, is quite strict on Data Protection and is evident in the definition. However, it is applicable within the EU; Non-EU organisations are exempt even though there are some regulations such as Privacy Shield and Safe Haven which supports but not to the extent of GDPR.
2. Penalties or GDPR Fines
In Data Protection Act – DPA 1998, the GDPR penalties or GDPR fines imposed on a severe data breach is up to £500,000. Many organisations do not have to have proactive controls to avoid violations. In GDPR, the penalties are 20 million or 4% annual turnover whichever is more significant for severe offences and for not having right controls in place. The GDPR Fines on organisations can be up to 2% of annual turnover where proper controls are not in place…
3. Explicit Consent
Data Analytics and Big Data have opened numerous opportunities to the organisation. The general public who is the real owners of the data is not aware of how their information is used or misused in some cases. The GDPR sets out clear guidelines on how these consents must be obtained with explicitly.
4. Data Protection by Design
The significant change in GDPR is Data Privacy Management throughout the full data Lifecycle (collection, archive, usage, destroy). The DPA 1998 defines data management, but it is not as explicit as in GDPR. Data protection in GDPR is proactive and preventative rather than reactive and remedial. You don’t need to appoint a GDPR data protection officer, but there must be some tasked to look at all queries.
5. Data Subject or Data Owner Rights
The General data protection regulation defines the data owner rights clearly. If the owners feel that their data is not managed correctly, then they have the right to get the access. At the same time, organisations and their suppliers MUST know their roles as controllers and processors. Failure to understand their roles will be very costly to the Organisations. Also, in case of breaches, the supervising organisation and the owners must know about the violation immediately.

Small Business Owners and GDPR

Many large organisations within EU and outside the boundary who do business with EU citizens have made changes to data privacy policy and other procedural changes but are they officially GDPR compliant?  Being GDPR Compliant takes more effort from the companies and set boundaries on what is acceptable when handling personal data.

Alas, many Small Business Owners are not even aware of this regulation.  For example; A plumber who takes down the name, number and postcode of a client in-need on a piece of paper is not aware that he or she is handling personal data of the client.  As a GDPR consultant, I see many instances of these happening.

GDPR is not one of implementation; it is an ongoing process as long as you are dealing with or managing personal data of others.

General Data Protection Regulation Compliance is not hard.  So, hire a consultant and become compliant.

Reference

https://ico.org.uk

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email