GDPR (Post 1): Getting Ready
In a recent blog post, we presented evidence suggesting that UK business leaders lack awareness and understanding of GDPR – the EU’s new Global Data Protection Directive, especially when compared with their continental European counterparts.
With only 14 per cent of businesses being aware of the fines they could face for failing to protect personal data, UK business appears to be totally unprepared for GDPR, the most significant change to data protection legislation in Europe for the last two decades.
Recognising the fact that organisations have less than a year to become compliant, the Scottish Government has recently launched a communications campaign to raise GDPR awareness and understanding – Cyber Comms Toolkit General Data Protection Regulations (GDPR). They have encouraged suppliers to incorporate GDPR into their own communications strategies, sustaining momentum through 2017/18.
Bridgeall is happy to support this initiative with three short blog posts explaining what GDPR is, what your organisation needs to do to prepare and how to assess your GDPR readiness.
A Brief Overview of GDPR
The EU General Data Protection Regulation (GDPR), which comes into effect on the 25th May 2018, replaces the Data Protection Directive 95/46/EC. It represents a profound change in data protection law in Europe; in particular, a massive shift in the balance of power from organisations collecting, analysing and using personal data to the individuals concerned. A key objective is to strengthen citizens’ rights enhancing trust and confidence in the services they use.
The law will apply to all UK organisations operating in the EU regardless of the outcome of Brexit negotiations. The consequences of non-compliance could be enormous with maximum fines of €10-20 million or 2%-4% of turnover.
The overall aim of GDPR is to increase individual privacy by providing regulatory authorities with greater powers to take action against organisations who breach the new law.
All organisations using personal data will be required to take additional actions to protect that data. Individuals will have increased rights of access to, portability of, and deletion of their personal details. For public sector organisations, a Data Protection Officer will need to be employed responsible for auditing compliance and reporting directly to senior management. A similar requirement will be imposed on all organisations regularly and systematically processing personal data on a large-scale and those holding sensitive data relating to race, religion, sexual orientation and so on.
All organisations will become accountable for how they collect, use and process personal information. They must ensure that the information is up to date and compliant. Significant breaches must be reported within 72 hours and could be the subject of large fines.
A broad definition of personal data will be applied, including any information relating to an individual – name, home address, photo, email address, bank details, social network posts, medical information computer IP address and more.
Understanding Your Responsibilities
With GDPR coming into force next May, organisations need to start their preparations now. Failing to comply could have very serious consequences for your business.
The Information Commissioner’s Office (ICO) has prepared a useful guide explaining your responsibilities in the run up to GDPR launch as shown in the Infographic below:
In Post 2 to follow, we will examine in more detail the steps you need to take now to ensure compliance.
In the meantime, please do not hesitate to contact us if we can be of any further help in supporting you on your GDPR journey.