GDPR; the one acronym that you can’t go a day without hearing in the information security and legal sectors. Replacing the current Data Protection Act (DPA), the General Data Protection Regulation (GDPR) is a way of standardising data protection laws across borders to ensure that everyone knows where they stand when sensitive data is shared, processed or disposed of.
Coming into full effect on the 25th of May 2018, GDPR will have an impact on everyone regardless of their job role. As a data controller or data subject, you need to know your rights, roles, and responsibilities to ensure that everyone is complying with the terms of the new law.
As of May 25th 2018, GDPR will automatically become law in every member state of the European Union.
“We’re leaving the European Union, so this won’t change anything for us!”
We might be leaving the European Union, but the United Kingdom has played a major part in the evolution of the GDPR. The development process of the legislation started before the EU referendum last year, so something identical will be in place in the UK to mirror the laws in the other current member states.
In June 2017, in her annual Queen’s Speech, Queen Elizabeth II announced that in the current parliamentary term a new Data Protection Bill will be implemented, which quashed any doubt that the UK was not going to adopt GDPR because of Brexit.
Why is GDPR needed?
Despite a few amendments over the years, the last time a wide scale DPA legislation change was made was back in 1998 – a time before social media and the year Google was founded. The gigantic shift in the digital landscape has made our current laws outdated.
What GDPR will do is tighten up the current Data Protection laws, enhance consent for individuals and clarify many of the grey areas with regards to what you can and cannot do with personal data. A lot has been made of GDPR and the ICO in particular has been critical of the ‘scaremongering’ that has taken place because they believe that GDPR is ‘evolution, not a revolution’.
Steve Wood, Deputy Commissioner to Policy at the ICO, has stated that if you are already following the DPA correctly, then GDPR is just a ‘step change’. However, there will be changes in approach which will affect businesses and your employees.
What has changed?
Changes to accountability will inevitably have an impact on how you view data protection in your organisation. In the past, only the data controllers have been accountable for any data protection failure, but under GDPR the data processors will now have to be accountable for any non-compliance.
You will also need to demonstrate your organisation’s compliance to the rules and this is done through Data Protection Impact Assessments. Upon completing an assessment, you will understand the potential risks and likely impacts of a processing operation allowing you to plug any non-compliances.
The rights of individuals have expanded leaving ‘implied consent’ behind under the new data protection regulation. When it comes to your marketing teams, this will have an impact on their email lists as you can not be sure that the personal details they hold are being used in the manner originally agreed. Therefore, individuals must ‘opt-in’ rather than ‘opt-out’ of their personal details being used for any marketing purposes. You need to ensure that your request for consent is unambiguous, specific and clear.
A Data Protection Officer (DPO) was previously optional, but for certain organisations it is now mandatory. You will have to enforce a DPO if you are:
Plenty has been said with regards to the revamped fines that the ICO will be able to dish out to organisations that fail to comply with the new legislation.
Under GDPR, an organisation can be fined up to £17 million or 4% annual turnover, depending on which is larger. Rumours have been circulating that the ICO will be looking to dish out the maximum fine early on to prove a point too! Scary right?
Well, like many rumours, they’re nothing more than hearsay. It’s highly unlikely the ICO will be looking to fine ‘Dave’s Chippy’ £17m for non-compliances considering that under the Data Protection Act, TalkTalk received the highest fine of £400,000 (£100,000 under the £500,000 maximum fine). What will be more likely is the ICO making examples of those larger organisations through naming and shaming – the fines are just a number. It’s useful to keep in mind however that last year’s fines would have been 79% higher under GDPR.
What should I be doing now?
First and foremost, you need to start preparing for the 25th of May 2018 now. By reading this blog, you are already on your way but there is a lot that your organisation needs to do before the law is implemented.
Bob’s Business GDPR Training
Our GDPR course is designed to condense the new legislation into 9 easy-to-understand modules that will assist in understanding the new GDPR regulations. In keeping with Bob’s signature style, thanks to trusted subject matter-approved content, our suite of GDPR modules will help identify knowledge gaps and increase awareness within organisations.
When the new legislation becomes law on the 25th of May 2018, you want to ensure that your staff are armed with the information necessary to process, share or dispose of data securely and in line with the law.
Like our Information Security suite of modules, all of our training packages can be tailored and modified to meet your requirements, ensuring that they are in line with corporate policies and that staff are only completing modules that are necessary to the needs of their roles within your organisation.
If you would like more information on our GDPR courses, please get in touch.
Bob’s Business provides cyber security awareness training and simulated phishing campaigns with an approach that is memorable, engaging and entertaining. Our bite-sized modules help you achieve industry standards and a secure culture.