It seems that ever since the European Parliament and Council dreamt up the General Data Protection Regulation (GDPR) in 2016, every man, woman and their dog have been talking about it. This is extremely prevalent in the data industry, but what's the big deal? This will be a very brief overview of GDPR and my recommendations on steps to make yourself a little more prepared for the landfall of the Regulation in 2018.
GDPR serves as a blanketing legislation, that will apply to all European Union (EU) member states. It will come into effect on the 25th of May 2018 and there has been a large number of people who are guilty of scaremongering in relation to the new regulation.
People who think Brexit will prevent the headaches of GDPR may be wrong. The government has proposed a new data protection bill that will essentially copy GDPR into British law once we have left the Eurozone.
GDPR relates to the way that personal information is used and stored by data processors and controllers and the legislation has a larger effect on these people than anyone else, as they are the ones who will be subject to liability in the event of a data breach. It also applies to nations who supply goods or services to countries in the EU.
One of the main changes GDPR brings, is that the definition of 'personal data' has been expanded upon to include things such as IP addresses and it can be assumed that for the majority of organisations that if the data they hold falls under the Data Protection Act 1998 (DPA 1998), then it will fall under GDPR also.
With no complete and comprehensive, official guidelines currently published, companies are either going over the top to prepare or are waiting and have not prepared at all. However, to get a good base understanding of the Regulation, ask yourself this. Is what I'm doing illegal under the DPA 1998? If so, it will likely be illegal under GDPR.
It must be stressed that GDPR does not seek to punish companies for violations however, it does seek to safeguard members of the public and their personal information. The enormous fines you may have heard about will obviously be used sparingly by the Information Commissioners Office (ICO) and any penalties will be proportional to the magnitude of the offence committed. The ICO is not going to fine an SME with a minuscule annual profit to the tune of £1M.
The financial penalties for breaching GDPR are as follows. Firstly a company may be charged by the Supervisory Authority in their country (the ICO in the United Kingdom), a total up to 10M Euros or 2% of a company's annual turnover based on figures from the previous fiscal year, whichever is greater. In the case of the gravest offences, a penalty of up to 20M Euros or 4% of a company's annual turnover from the previous fiscal year may be applied, dependent on which figure is higher. It must be stressed that these fines will only be handed out in the most consequential incidents and will only be used to their broadest extent against companies who have a significant revenue.
For example, according to figures obtained from the ICO website from the calendar year of 2016, the ICO has only brought monetary penalties for transgressions on 34 occasions.
To finalise, here are some utilitarian steps and precautions you can take to improve your readiness for GDPR, without having to go to extreme lengths and costing yourself a large amount of money.
Improve your Cyber-Security: This will help to prevent data breaches caused by hackers, which could lead to potential penalties for your company.
Consider encrypting the data that you store in-house and keep the encryption key separate from your network.
Always check the recipient when sending data to another party to ensure it is going to the correct person. This will prevent breaches where the wrong person has obtained sensitive information.
Keep reviewing publications from the ICO, this will help to provide you with more advice that you can put into practice before the Regulation comes into effect.
Try to minimise the number of people handling sensitive information within your company. This leads to fewer opportunities for an accidental breach.
By applying these steps, you can take reasonable precautions to readying yourself for GDPR and when the official guidelines are published you can then invest more into the recommended avenues provided by the guidelines.
The fact of the matter is, GDPR will only be an issue for your company if you allow it to become one. Be sensible and be cautious when handling sensitive information.
You can read our Corporate Legal Counsel LinkedIn Article here: https://www.linkedin.com/pulse/gdpr-780-words-really-bad-kieran-evans/
Visit Kieran's LinkedIn here: https://www.linkedin.com/in/sme-kieranevans/