After more than three years of discussion the EU General Data Protection Regulation (GDPR) framework will replace the current 1998 Data Protection Act. It comes into effect on 25th of May 2018 and non-compliance can lead to some significant consequences! Depending on the kind of infringement, there might be monetary penalties from 2% up to 4% of a companies annual turnover.
The main intent of the GDPR is to give individuals more control over their personal data, impose stricter rules to companies handling it and make sure companies embrace new technology to process and protect the data produced.
Hiscox, our current insurance providor has put togeather 11 tips to help you prepare for the new data protection rules.
But in a nutshell here are the major changes that are mentioned in this new legislation:
Consent - Consent of personal data must be freely given, specific, informed and unambiguous. Consent is not freely given if a person is unable to freely refuse consent without detriment.
Accountability and privacy by default - The GDPR has placed great emphasis on the accountability for data controllers to demonstrate data compliance. They will be required to maintain certain documentation, conduct impact assessment reports for riskier processing and employ data protection practices.
Notification of a data breach - Data controllers must notify the Data Protection Authorities as quickly as possible, where applicable within 72 hours of the data breach discovery.
Role of data processors - Data processors will now have direct obligations to implement technical and organisation measures to ensure data protection, this could include appointing a Data Protection Officer if needed.
Right to be forgotten - This change is one of the most useful changes for the average person managing their data protection risks. A person will be able to require their data to be deleted when there is no legitimate reason for an organisation to retain it. Following this is requested the organisation must also take appropriate steps to inform any third party that might have any links or copies of the data and request them to delete it.
When it comes to data protection compliance there's a lot to think about. The GDPR introduces new responsibilities on organisations that process data on behalf of their customers as well as requiring data controllers to ensure their processors are GDPR compliant.
In addition to the above clauses, our customers should also review the process of making a website GDPR compliant, and make recommendation to us for specific changes. A common breach is a form that invite users to subscribe to newsletters or indicate contact preferences with a 'tick-box' pre-selected. With the new regulations this must default to 'no' or be blank. Existing clients will need to check forms to ensure this is the case. Automatic "opt-in" will now see you in breach of GDPR.
Finally we have uploaded a guide that Hiscox produced which further explains GDPR and what you can do to ensure complience. Hiscox Guide to GDPR.