In the UK, and across Europe, one of the most discussed upcoming changes to legislation is the General Data Protection Regulation (GDPR). Despite the decision to withdraw from the European Union (EU), the UK government stated it would bring the EU GDPR into UK law, ensuring certainty over how UK businesses can use data in the future. To give people greater control over their personal information, the introduction of the full GDPR will be coming into effect on 25th May 2018.
From small businesses to large organisations, it’s important that you’re up to date with these changes and understand how to safeguard your business from future sanctions. GDPR is essentially an overhaul of the Data Protection Act (DPA) and will take into consideration more recent technologies that weren’t directly addressed by DPA. Here are the key points you need to be aware of.
Greater control and protection for individuals
The whole purpose behind GDPR is that it has become harder for you to know where your data is and how to have it altered. Under GDPR, businesses are required to pass control back to individuals who will have the ability to alter, transfer, or even request that their data be deleted in certain circumstances. This is the ‘right to be forgotten’.
It’s all about the details
One of the major concerns at present is how businesses go about collecting data. Many UK based individuals are unaware of when they are having their data collected and for what purpose. Businesses need to offer full transparency and make it clear when they are collecting data and why. For example, you will need to remove all auto opt-in checkboxes on sign up forms. Furthermore, once you have finished using the data for its intended purpose, you will need to destroy it.
New world of cyber threats
Cyber threats are becoming more widespread and damaging. In fact, it was reported that nearly six million fraud and cyber crimes were committed in the UK alone, in 2016. To combat this, organisations, small and large, need to ensure they have the required safety protocols in place for protecting valuable customer, employee and company data. The most effective way of achieving this is with a robust information security management system (ISMS). Achieving ISO 27001 accreditation demonstrates that your company is taking the necessary steps to follow information security best practice, ensuring that all data is sufficiently protected at all times.
Be aware that, even after taking such measures, your systems may be subject to regular impact assessments by the Information Commissioner’s Office (ICO) to ensure data is stored safely. Large organisations, in particular, are accustomed to holding extremely large amounts of data, so need to ensure they are fully protected in case of attempted security breaches.
There will be harsher penalties in place
Failure to comply with these safety measures can lead to hefty fines from the ICO. They are having their powers greatly increased, meaning they can carry out tests more frequently. Beyond this, they are also able to fine businesses for a greater list of infringements, and their maximum fine limit is being increased from £500,000 to £17 million, or 4% of annual global revenue – whichever is higher.
It is worth noting that, even after Brexit occurs, the provisions of the GDPR will still apply through the implementation of domestic law. In actual fact, it is widely believed that GDPR will be extended following Brexit to further ensure the safety of individual’s data across the UK. The ICO has made it clear that no matter the cause for any mismanagement of data under the new GDPR, businesses as a whole will be punished.
Knowing the basics of GDPR
The ICO is the UK’s independent body responsible for upholding the correct use, collection and storage of private information. They have taken action to ensure organisations take the relevant and necessary measures to meet their information rights obligations. From self-assessment reports and audits, to legislation guides and case studies, there is a wealth of information and advice available to organisations seeking guidance. With such widespread changes to data protection imminent, educating employees is key to ensuring data is captured, stored and used legally. Discover more here to learn how to comply.
Share with your followers