Superseding the UK Data Protection Act 1998 (DPA), the GDPR will hold businesses to higher standards and impose tougher penalties on businesses that do not comply.
The Regulation grants more rights to customers who have had their rights infringed upon by organisations. Those businesses are expected to adopt ‘appropriate technical and organisational measures’ to protect their customer’s personal data.
There have been many misconceptions about what GDPR compliance means, so we would like to take an opportunity to run through some of the more common ones.
Under the new Regulations, a consent document should be a simple document that clearly and simply lays out that their agreement means that their private data can be processed by your company. Without such a document, you do not have consent to process or hold private data from the customer.
The onus is for consent to be given freely and not be assumed by inaction or inactivity. This applies to your extant database, too. If you do not have documentation in which that customer has given permission or their data to be processed, it’s down to you to seek that consent.
Mandatory data breach reporting means that, should there be an incident, the Information Commissioner’s Office will expect a report of the incident within 72 hours of the occurrence.
According to the ICO, a comprehensive report when the incident is discovered is not expected. Instead, the focus should be on the scope of the breach, the cause, how you intend to mitigate against its damage and how you intend to address the problem.
It’s being reported that organisations found in breach of the Regulations, including reporting on data breaches, can expect tougher penalties. The ICO have been given the authority to administer fines of up to 4% of a business’s global annual turnover or £17 million, whichever is greater.
Comparatively, the current greatest fine that the ICO can impose is £500,000, so it’s plain to see that this is a significant increase. It’s important to remember that fines are among the last penalties that the ICO resort to and they are yet to ever invoke their highest powers. That said, it’s far better to avoid any penalties at all.
Brexit does not affect a business’s legal requirements to adhere to the GDPR. Not only are the regulations coming into force before Britain has finished the EU, but also the government and the Information Commissioner both have confirmed that these regulations will apply.
As it stands, there is a Data Protection Bill moving through Parliament. The best way to think of it is that the DP Bill works in conjunction with the GDPR. It applies GDPR standards and modernises the UK’s extant Data Protection laws.
When the UK leaves the UK, the GDPR and the DP Bill will work together until such time as the UK restores a domestic basis to data protection laws. These laws will continue to use the requirements set out by the GDPR. That’s why it’s important to familiarise yourself with the GDPR and the DP Bill.
We’re a data-driven company, which is why it’s so important for us to ensure that we are working within the parameters of up-to-date data protection regulations.
We’ve been altering our practices to ensure that we are GDPR Compliant, and as such we understand of what this process entails and what needs to be considered. We want to ensure that our clients are kept abreast of these changes.
If you’re working with us and want some clarification on what GDPR Compliance means for your business, or you want to know about how novi.digital can help you, don’t hesitate and contact our team of experts today.