The EU General Data Protection Regulation – GDPR is well-rounded which covers the Data Privacy Management and Individual rights of EU citizens extensively. The GDPR is coming or came into effect on 25th May 2018 depending on when you read this article.
All businesses who do business with EU established companies in EU, and anyone who is doing business with EU must be compliant. Otherwise, there will be substantial penalties.
Now, there has been working EU Data Protection Act (DPA) in 1995. Why bother with new regulation and enforce on business? The GDPR supersedes 1995 EU data protection directive. GDPR and Brexit – This is first EU legislation directive that the U.K. will adapt when Brexit happens. This regulation applies to all businesses; profit or non-profit or charities or solopreneurs. I have seen many Small business owners and GDPR has not aligned yet. Many don’t even know that they need to compliant.
Many organisations have been somewhat irresponsible with the personal data collected from their customers and clients; not intentionally in many instances. There are no clear systems or procedures in place to delete the personal data acquired from the client. There was freedom of information act and data protection officer will look into it to provide the information within a stipulated time to the requestor, but this was not consistent. We have seen many authority organisations including government systems, banks and many private organisations which were responsible for data breaches in recent years. This article in CNN talks about just the ten data breaches. There are many organisations we don’t even know that breaches had happened because they are not high profile players in society. Many cyber-attacks are not reported correctly promptly to the data owners (that’s us) and auditing authority. Cyber attacks happen because of system vulnerability within the organisations. Many leaders and managers don’t know how to handle the attack after it has happened. Some take years to report to relevant authorities of what had happened. The massive fines or penalties for not having Data handling and reporting procedures and failure to report data breaches will bring some regulation within organisations who handle the personal data.
Let us have a look at the five fundamental changes in this new General Data Protection Regulation – GDPR.
1. Boundary has changed
Current DPA 1998, is quite strict on Data Protection and is evident in the definition. However, it is applicable within the EU; Non-EU organisations are exempt even though there are some regulations such as Privacy Shield and Safe Haven which supports but not to the extent of GDPR.
2. Penalties or GDPR Fines
In the Data Protection Act – DPA 1998, the GDPR penalties or GDPR fines imposed on a severe data breach is up to £500,000. Many organisations do not have to have proactive controls to avoid violations. In GDPR, the penalties are 20 million or 4% annual turnover whichever is more significant for severe offences and for not having the right controls in place. The GDPR Fines on organisations can be up to 2% of annual turnover where proper controls are not in place…
3. Explicit Consent
Data Analytics and Big Data have opened numerous opportunities for the organisation. The general public who is the real owners of the data is not aware of how their information is used or misused in some cases. The GDPR sets out clear guidelines on how these consents must be obtained explicitly.
4. Data Protection by Design
The significant change in GDPR is Data Privacy Management throughout the full data Lifecycle (collection, archive, usage, destroy). The DPA 1998 defines data management, but it is not as explicit as in GDPR. Data protection in GDPR is proactive and preventative rather than reactive and remedial. You don’t need to appoint a GDPR data protection officer, but there must be some tasked to look at all queries.
5. Data Subject or Data Owner Rights
The General data protection regulation defines the data owner rights clearly. If the owners feel that their data is not managed correctly, then they have the right to get access. At the same time, organisations and their suppliers MUST know their roles as controllers and processors. Failure to understand their roles will be very costly to the Organisations. Also, in the case of breaches, the supervising organisation and the owners must know about the violation immediately.
Small Business Owners and GDPR
Alas, many Small Business Owners are not even aware of this regulation. For example; A plumber who takes down the name, number and postcode of a client in-need on a piece of paper is not aware that he or she is handling personal data of the client. As a GDPR consultant, I see many instances of these happening.
GDPR is not one of implementation; it is an ongoing process as long as you are dealing with or managing personal data of others.
General Data Protection Regulation Compliance is not hard. So, hire a consultant and become compliant.