The ICO is set to implement a new regulation called the GDPR which goes live on the 25th May 2018. GDPR stands for General Data Protection Regulation. The regulation from the European Union and is intended to strengthen and unify data protection across the EU.
The ICO state that ‘consistency across the EU is one of the key drivers of the GDPR and the Article 29 Working Party’. Regardless of Brexit, this European Union inclusive law will still come into force, so companies both large and small need to be prepared.
New and updated regulation is needed since the two laws currently in force in the UK are the outdated Data Protection Act 1998 and the 1995 EY Data Protection Directive. However this regulation has far reaching changes and implications that will effect every company and organisation in the UK and its important that all organisations are aware of the changing and are getting ready for GDPR.
GDPR applies to ‘controllers and processors’. This can be any person that states how personal data is processed or any person actually processing personal data. Even if the people doing these two roles are outside of the EU, this regulation will still apply if the data belongs to EU citizens.
The rules of the GDPR will mean that personal data must be processed lawfully, transparently and for a specific purpose. Once that purpose is completed the data must be deleted.
The most important thing here is that the subject has consented to their data being processed; through fulfilment of a contract or a legal obligation. Consent must be active, not passive, so no pre-ticked boxes on emails or emails automatically added to data lists, according to the GDPR.
Records must be kept of how a person gave their permission and that person must be able to withdraw their consent at any time.
There are also rules on transparency, covering the ways that information is collected and held and what is done with it. Further, there is a ‘right to be forgotten’ integration to the law, so that people can demand for their data to be deleted.
The definition of personal data has also been greatly expanded, so IP addresses now count as personal data.
People will have the ‘right to portability’, so they can transfer information held between service providers more easily.
There are also rules in which people can ask for access to the data held on them.
Companies are required to implement reasonable data protection measures to protect consumer’s personal data and privacy against loss or exposure in line with the new GDPR regulations.
Another new area will be that of reporting data breaches—you must let the ICO know within 72 hours if your data suffers any type of breach. It’s best not to forget this one in particular, as the ICO can fine you 10 million Euros, or 2% of your global revenue—whichever is the greater. As for ignoring people, the new rights state that fines are even higher; in fact, they are double.
As the date of the law gets closer Global Britain will be covering the GDPR issue in more detail to help you in gettign ready for GDPR, and providing some solutions and working practices for companies.