GDPR differs to DPA with increased mandatory regulations and more accountability.
Every business needs to consider how the GDPR will affect them and to start planning for it now, as this is not a process that can be achieved overnight.
GDPR legislates as to how businesses gather, use and retain personal data about individuals who are based in Europe. Businesses must comply with these regulations or face hefty fines or even a prison sentence. There is also a great risk of reputational damage to businesses for breaches of this regulation.
When the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 it will replace the current Data Protection Act 1988 (DPA). If your business is compliant with the DPA, you probably already fulfil many of the requirements of the General Data Protection Regulation (GDPR).
Below is a summary of the key differences to help you consider what action you may need to take to update your existing information systems.
1 Location
Current: DPA applies only to organisations the UK.
New: GDPR regulation extends its reach to encompass all European States. It will apply even though Britain is leaving the European Union. It also applies any global company holding data on EU citizens.
2 Definition of Personal Data
Current: Personal data and sensitive personal data which could identify someone directly or indirectly.
New: Definition is extended to include online information which could identify a person, for example, IP addresses, mobile device IDs and encrypted data. There are also new responsibilities to protect children’s personal data.
3 Responsibility
Current: Only the data controller has responsibility for security of information
New: GDPR also makes the data processor responsible. Companies with more than 250 employees must employ a Data Protection Officer. Consumers could hold both the data processor and the data controller responsible for data breaches.
4 Accountability
Current: Under the DPA businesses had to indicate intent and willingness to comply
New: GDPR means businesses and organisations have mandatory responsibility to demonstrate compliance. Ways in which this can be shown include:
- Staff training
- Internal audits and documentation of data processing activities
- Internal HR policy review
- Meet all the principles of data protection by design
- Implement Protection Impact Assessments
5 Consent
Current: Data collection does not necessarily require an opt-in.
New: Individuals must give explicit consent to opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.
6 Subject Access Requests
Current: People have the right to request to see what information you hold about them. These requests carry a £10 charge and there is a requirement to respond to the applicant within 40 days.
New: Under GDPR subject access requests will be free of charge and must be responded to within 30 days.
7 Data Breaches
Current: Companies are not obliged to report data breaches, though it is considered best practice under the current DPA.
New: GDPR carries a mandatory requirement for all data breaches to be reported to the regulator within 72 hours.
8 Data removal
Current: There is no requirement for an organisation to remove all data they hold on an individual.
New: An individual will have the ‘right to erasure’ – which includes all data including web records with all information being permanently deleted.
9 Enforcement and Penalties
Current: Enforced by the Information Commissioner’s Office (ICO) in the UK. It can issue fines of up to £500,000 or 1% of annual turnover to any UK organisation that “seriously breaches” the DPA.
New: Each European country will have its own supervisory authority to monitor GDPR compliance. The ICO will be the supervisory authority in the UK. From 25 May 2018, organisations that fail to comply with GDPR could be fined up to €20 million or 4% of their annual global turnover, whichever is higher.
10 Privacy by design
Current: Protection Impact Assessments (PIAs or DPIAs) are not a legal requirement under DPA.
New: DPIAs will be mandatory and must be carried out when there may be a high risk to the freedoms of the individual. A DPIA helps an organisation to ensure they meet an individual’s expectation of privacy.
Does your company meet the GDPR Fundamentals Standard?
There is no shortage of advice on GDPR, but if want to take a more practical approach, Kate Armstrong, nesma Tutor and Blue Shadow Growth Agency’s Managing Director is a registered GDPR Fundamentals Practitioner and recognised as a specialist in the new GDPR Fundamental standard.
If you would like some practical help with GDPR, this 3-part programme of activity is ideal for you. The programme will help you understand your organisation’s legal duties, put a spotlight on any changes you need to make and ultimately ensure you reach the GDPR Fundamentals standard.
The GDPR Fundamentals standard* has been devised to assist organisations in their efforts to comply with the with the new data protection regulations. It offers businesses the opportunity to obtain external recognition of their GDPR management system and has been written using the principles of General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
There are three elements; the training, the audit and the certificate.
The Training will give you the knowledge to assess organisation relative to the GDPR requirements using a practical framework that will assist you to understand what it means to be compliant. Businesses will receive a GDPR Fundamentals attendance certificate from the accrediting body on completion of the course of the 1-day training.
The Audit delivered in the form of a 2-hour survey carried out by an accredited GDPR Fundamentals Practitioner will help you to assess your systems and policies against the demands of the GDPR Fundamentals standard.
The GDPR Fundamentals Certificate of Compliance is a recognised management standard for data protection compliance which immediately identifies that your organisation has been audited by an independent third party and that you can demonstrate compliance.
Find out more about the GDPR Fundamentals programme –
The 1-day training costs start at £395 + VAT per person.
Get more information about this course and the full programme by emailing hello@nesma.co.uk or calling Kate Armstrong on 07930 473 971.
Disclaimer
This information is aimed at giving you a summary of current and emerging data protection and privacy regulations and guidance. It is not intended as legal advice and is not represented as such by the author or publisher. It is advised that legal counsel is sought to ensure compliance with legislation.