What are the consequences of GDPR?
On the 25th of May 2018, the new General Data Protection Regulation (GDPR) will officially be enforced across the whole of the European Union. This will also affect all businesses outside the EU if they are to deal with EU citizens’ data.
What is GDPR?
The digital world has excelled since the Data Protection Act was introduced in 1998, as you can imagine, the update is greatly needed.
GDPR was introduced so that it can regulate how all businesses use personally identifiable data across the entire EU. All Citizens living in the EU will now be protected from businesses using their data irresponsibly. This gives them power over what data is shared, as well as how and where it is shared.
The EU has officially broken down what exactly is meant by personally identifiable data, in a more detailed explanation. Personally, identifiable data is absolutely anything that connects to an individual. This includes all data that contains a name, an email address, their age, and location. Also, online identifiers such as IP addresses and mobile device IDs are included too.
One of the biggest changes in the new law is the right to be forgotten. This means that a person can now request that a company deletes all data that is held about them.
How should a data breach be handled?
If there was to be a data breach within a business, a mandatory report is required. The business must report the breach to the National Data Protection Authority. If a security system has been compromised and personal data has been disclosed, this is a personal breach. This must be reported, whether it is an accident or unlawful misconduct.
It is up to the business to choose the level of severity of the breach by accessing the risks for the individual’s data. If the business decides it is a risk, they must notify the DPA. However, if the business chooses that the breach is not a risk and to not report it, then the business must keep a record of the breach and the reason for not reporting it to the DPA.
Each and every business should have correct procedures in order. This is so that, in the case of a breach, the regulator is notified correctly and all staff are informed on how to handle a data breach without further issues.
What are the penalties for a data breach?
The ICO will not take a severe data breach lightly. In fact, a business that breaches GDPR can face a fine of €20,000,000 (£17,621,269) or 4% of Global turnover. The greater amount will be the chosen fine.
This fine is the largest the ICO will give and it will depend on the impact of the breach and why the breach happened. This shows how seriously the EU is enforcing the new regulations. Anyone that does not follow them will face the consequences.
However, there is a way out! If a business has prepared and worked towards GDPR compliance, fines can be reviewed and reduced if there is evidence that shows that.
What do I need to do?