From 25th May 2018, the EU General Data Protection Regulation (GDPR) takes effect, replacing the current Data Protection Act. The regulations will see increased penalties for personal data breaches, along with a few other key changes which business owners need to be aware of.
Here’s what you need to know about the new rules:
• Data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery.
• A new, broadened definition of personal data will now include online identifiers such as a person’s IP address. Personal data is defined as information that can be used to identify a living person, either alone or in combination with other data in possession of the data controller. This includes names, ID numbers, location data alongside physical and social factors.
• There are some enhanced individual rights rules which must be complied with, including right of data portability, the right to restrict processing, the right to be forgotten and the right to object to profiling. There are also new requirements for information to be included in ‘fair processing’ notices for customers.
• Data breach fines for businesses could rise significantly. Currently the biggest fine handed out by the ICO for a data breach is £350,000 – with a theoretical maximum of £500,000 – but this could shoot up to €20million (or 4% of a business’ annual global turnover) for serious breaches.
• Brexit is unlikely to impact the GDPR’s effect on us in Britain. The new regulation comes into play in May 2018, and even after the two years it takes for Britain’s exit from the EU to be finalised the terms are likely to remain in place in order to keep us on an equal footing with other EU countries.
So what can your business do to prepare?
• Firstly, assess what kind of data your company processes to determine if it is classed as ‘personal data’ and therefore subject to the new regulations.
• Write a checklist for use in the case of a data breach. Make sure staff are aware of what constitutes a data breach and that it must be reported within 72 hours. Is the breach likely to result in a risk to the rights and freedoms of individuals? If so, notify the relevant supervisory authority. If the risk is high, you should also notify the individuals involved.
• Make sure the information you supply to your customers on their rights under the current DPA is clear, concise, easily accessible and free of charge. A full list of what information must be supplied can be found on the ICO website.
• Keep up to date on the new individuals’ rights rules
• Some rules will only apply to larger organisations, so if you are a smaller business some regulations may not apply
• As always, ensure your companies’ data management policies are secure, comprehensive and up to date.
For more information on the GDPR, visit the ICO website here. To discuss your business’s cyber insurance, professional indemnity insurance and other covers, call Hine Insurance on 0161 438 0000 or email info@hine.co.uk.
