Whilst this may appear to be a sensationalist headline, the reality is that it might happen to you early next year. Let me explain.
On 25 May 2018, the EU General Data Protection Regulation (GDPR) will come in to force, replacing the Data Protection Directive.
Its objective is to improve the control EU citizens have over their personal data, and to harmonise the existing EU regulations.
What If You Don’t Comply with GDPR?
The maximum penalties for data breaches increase dramatically under the new regulations.
The current maximum fine is £500,000 (and to date, no fine higher that £400,000 has been issued).
The GDPR will see the introduction of a two-tiered penalty system.
Businesses deemed to play an important role in data-handling will face fines of up to €20 million, or 4% of the global annual turnover for the proceeding financial year, whichever is greater.
Other businesses will face potential fines of up to €10 million, or 2% of the global annual turnover, whichever is greater.
For your business, the threat of insolvency due to GDPR penalties, could become very real.
Could you survive 4% of your global turnover being ripped from you?
Even if you could survive, would you want to unnecessarily surrender this?!
What Do You Need To Know?
The new, statutory obligations will force data processors to observe data protection measures above and beyond the existing requirements.
Current EU data protection rules mean that service providers processing personal data on behalf of other businesses cannot be held directly liable to individuals for a breach of data security.
This is the responsibility of the data controller who contracted with them.
However, the new rules will require data processors to observe security measures above and beyond the contractual duties agreed with data controller customers.
The Data Controller and the Data Processor
The data controller is the person who is responsible for the storage and use of personal information within a company.
They make the final decision on what personal information will be kept and what this data will be used for.
In many organisations this will become part of the IT director’s remit, although bigger companies may well employ their own data controller.
The data processor can hold or process personal data. They do not exercise responsibility for, or control over, the personal data.
Examples of data processors include payroll companies and market research companies, which often process personal information on behalf of another party.
9 Key Areas
1. Responsibility and Accountability
The requirements remain and have been expanded.
The retention time for personal data has to be provided, together with contact information for data controller and data protection office.
Automated individual decision-making, including profiling, will be contestable.
Data subjects will be given the right to question and challenge decisions made on an algorithmic basis.
Data Protection Impact Assessments must be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required.
Valid consent must be explicitly given for the data collected and its purposes (i.e. people must ‘opt-in’ rather than be presented with an option to ‘opt-out’).
Data controllers must be able to provide proof that consent has been given. Consent for children must be given by the appropriate adult party and this must be verifiable.
Finally, a data subject may withdraw consent at any time.
3. Data Protection Officers
In certain circumstances, an expert in data protection law should be engaged as Data Protection Officers in order to ensure compliance within organizations.
The GDPR strongly encourages the use of pseudonymisation to reduce risks to the data subjects.
Pseudonymisation is the process that transforms personal data so that an individual data subject cannot be identified without further information.
This identifying information must be stored separately.
5. Data Breaches
The Data Controller will have a legal obligation to notify the Supervisory Authority without undue delay, and within 72 hours of a data breach.
Data subjects must also be notified, unless their data has been anonymised or pseudonymised.
6. Right to Erasure
A data subject has the right to request erasure of personal data related to them on any one of a number of grounds.
The rights of even legitimate data processors and controllers are secondary to the rights of the data subject.
7. Data Portability
A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
8. Data Protection By Design and Default
Data protection will be required to be designed into the development of business processes for products and services, with high level privacy settings as the default.
Mechanisms must be in place to ensure that personal data is only processed when necessary for each specific purpose.
Measures must also be taken to ensure that the entire data processing procedure is compliant with regulations.
9. Records of Processing Activities
Records of processing activities must be maintained and made available to the supervisory authority on request.
What Can You Do To Minimise The Risks?
It’s essential to begin preparing for this legislation as soon as possible.
With less than a year until it is introduced, companies don’t have long to bring themselves in to a state of compliance.
Briefly, there are five steps to take to protect your organisation:
Understand what GDPR is and how it will affect your business. The full regulation can be found here
Identify areas where you are not conforming to the new standards and take steps to achieve compliance
Update and document your policies and procedures. Establish a culture of monitoring, reviewing and assessing these policies and procedures regularly
Train your staff to comply with the new standards and ensure they understand their obligations. Establish a clear framework for accountability within your organisation
Always be prepared for a breach and have a plan for reporting this within 72 hours.
Won’t Brexit Change The Rules Again?
In short, no, at least not in the immediate future.
The UK will still be a full EU member state in May 2018.
Even after Brexit, the general consensus is that the data protection obligations for UK companies are unlikely to change.
It may seem odd for a finance professional to advise on GDPR, but I see my role as being one that accelerates and protects your company’s growth. To further discuss how to protect your business from regulatory changes, you may wish to schedule an introductory chat with me. For an exploratory conversation, call 07947 810 036 or email firstname.lastname@example.org or of course message me via LinkedIn.