The General Data Protection Regulation (GDPR) becomes effective on May 25 2018, now just over three months away. For many people though, there are still plenty of questions around what it is and how to implement it.
GDPR is a new law that will replace the Data Protection Act (DPA) 1998. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Regulated by the Information Commissioner’s Office (ICO), GDPR strengthens the rules around personal data and requires organisations to be more accountable and transparent. It also gives people greater control over their own personal data.
In a statement Steve Wood, Deputy Commissioner (Policy) of the ICO, says: “The new regime is an evolution in data protection, not a revolution.”
“Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom.” He adds.
GDPR will affect anyone collecting ‘Personal Identifiable Information’ (PII) data on individuals in Europe or anyone using European businesses. An individual will have the ‘Right to erasure’. This includes all data including web records with all information being permanently deleted.
The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. If there are any data breaches, leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, they must be reported within 72 hours.
The ICO can impose up fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater), under new GDPR rules.
In Mr Wood’s statement, he also mentions: “If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR.”
“The principles are essentially the same whether you are a small business or a multinational corporation.” He adds.
The Information Commissioner’s Office (ICO) launched a dedicated advice line 1 November to help small organisations prepare for GDPR. They have also created a 12-step guide.
The phone service is aimed at people running small businesses or charities and recognises the problems they face getting ready for the new law.
People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as advice on preparing for the GDPR, callers can also ask questions about current rules and other legislation regulated by the ICO including electronic marketing and Freedom of Information.