GDPR is one acronym it’s been impossible to ignore in recent months. The implementation date may have passed, but GDPR represents a regime that is here for good, and for good reason; it’s something we must all embrace.
High profile data breaches and cyber attacks certainly hit the headlines, from the Yahoo! breach in 2014 that affected over 500 million user accounts, to the more recent revelation that Dixons Carphone suffered a huge data breach in July 2017 involving over 5.9 million payment cards and 1.2 million personal data records sourced from UK High Street staples such as Curry’s, PC World and Carphone Warehouse.
Naturally, businesses are concerned about becoming the next victim of a cyber attack and suffering huge costs to fix the problem while risking a loss of reputation as a consequence. How such data breaches can best be prevented is a hot topic, and questions are being asked about whether the new standards for processing data in the EU under the General Data Protection Regulation (GDPR) is of help. Thanks to extensive media coverage, most businesses were well aware of the implementation of GDPR on 25 May and made preparations to comply with it. However there still seems to be some confusion as to what the new standards and requirements under GDPR are in practice, and the consequences of non compliance.
One of the changes under the new legislation requires that businesses know what data they have in their possession. This includes knowing what type of data it is, where it comes from and what its purpose is. Businesses should make a thorough assessment of their records and remove any data where the purpose of the data collection is completed or the data is no longer required. If businesses are relying on consent from parties to process the data, then they must be able to demonstrate that they are obtaining a clear and unequivocal response that is specific to the use of the data.
Under GDPR, there has been an expansion as to what the law considers personal data, and stricter requirements as to sensitive data. Personal data includes any piece of information that can be used to identify a person, and sensitive data covers information such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (used for identification purposes), health data and data relating to sexual orientation. In order for a company to collect personal data, including customers’ IP address or users’ social media posts, they must explicitly ask customers for permission. Additionally, businesses must provide access to a customer’s data on their request.
Handling of personal data comes with responsibility and there are inevitably expenses associated with implementing data protection policies, risk assessments, and wider policy changes. The investment of funds and resources to implement appropriate policies and to appoint a data protection officer, however, is worth it because businesses can face hefty fines for non compliance. The Information Commissioner’s Office (ICO) has two tiers of administrative fines based on the specific breach. The first tier carries a fine of up to €10 million (£8.7 million), or 2% annual global turnover, whichever is higher; the second carries a fine of up to €20 million (£17.5 million) or 4% annual global turnover, whichever is higher.
If you are at all concerned about whether or not your business is GDPR compliant or if you would like more information on how you can protect your business or your data, please contact Robert Ganpatsingh.
Written by Julie Marie Stacey, edited by Beatrice Bass