Recent research has shown widespread ignorance of the General Data Protection Regulation (GDPR) will leave many businesses at risk of significant fines, and damage to reputation.
If you are currently subject to the Data Protection Act 1998 (DPA), it is likely that you will also be subject to comply with the GDPR.
A study by Irwin Mitchell Solicitors found that only three in ten businesses have begun preparing for GDPR, while 35% were still completely unaware of the new data protection rules or heavy fines.
Businesses that are unaware of GDPR could have devastating repercussions for non-compliance.
Current Data Protection (DPA) carries fines for non-compliance, however The NCC Group (Global expert in cyber security and risk mitigation) estimates that fines issued by the Information Commissioner’s Office (ICO) in 2016 would have been £69m rather than £880,500
The General Data Protection Regulation (GDPR) will apply in the UK
25 May 2018
To help business prepare for GDPR we have identified 5 KEY Requirements they need to implement now:
1. Controllers & Processors
It is essential for organisations involved in the processing of personal data to be able to determine whether they are acting as a Data Controller or as a Data Processor.
Data Controller is a person(s) who determines the purposes for which and the way personal data are to be processed.
Data Processor, in relation to personal data, is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
If you are a processor, the GDPR places new specific legal obligations on you.
- You will be required to maintain records of personal data and processing activities.
- You will have significantly more legal liability if you are responsible for a breach.
If you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Whether you’re a controller or processors, you must know the location where personal data is stored.
2. Data Protection Officer
Under the GDPR you must appoint a Data Protection Officer (DPO) if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO’s role is similar to a Compliance Officer, and is expected to manage IT processes, data security, deal with cyber-attacks, and other critical business continuity issues relating to the holding and processing of personal and sensitive data.
DPO is responsible to monitor compliance with the GDPR, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
3. Data Protection Impact Assessment (DPIA)
Also known as Privacy Impact Assessments (PIAs), while not a legal requirement under the DPA, these are tools which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
An effective DPIA will allow organisations to identify and fix problems early, reducing any associated costs and damage to reputation.
For full article download free GDPR Key Requirements White Paper