Despite Brexit, the legislation will still be applicable to the UK. The British Chambers of Commerce are recommending that all companies which possess personal customer data prepare themselves from the protection act, as serious repercussions could occur from not following the new regulation.
The General Data Protection Regulation aims to protect the personal data of companies. With cyber-attacks on the rise and a growth in knowledge of how to do so, data breaches are hard to avoid; it’s vital that companies go through the correct procedures to protect their client’s details, and can prove they have done this. The GDPR aims to prevent the exploitation of personal data, and seeks to strengthen the protection of this data with tougher enforcement requirements and heavier fines.
The GDRR will apply to all companies and ‘processors’ who deal with personal data; it is not only the company who manage the data in danger of prosecution, but the processors who process the information through the company (e.g. an IT firm). The legislation will apply to all parties whether they are in or out of the EU; if the processors are affiliated with an EU company (the UK included) then they will be implicated if anything was to arise.
One of the main targets that the GDPR seeks to meet is increasing the control people have over their own data. The term personal data has expanded the definition under the GDPR. Personal data can include the IP address of the person, economic, cultural, or mental health information, and other personal information that can be linked to a specific identity. Consent to obtain someone’s personal data must be an active confirmation by the subject, rather than a vague tick box for opt-outs. This way, people can make a clear decision on whether they want their information to be used by a company.
You may have heard the term the ‘right to be forgotten’ when discussing the GDPR. This means that a person has the right to demand that their data is deleted from a certain company’s records if they no longer want to share it with them. Under this rule, they can also demand that their data is not shared or collected. The controller is then responsible for telling other organisations connected to them to remove any links or copies of the data. Alongside this, if the person wanted their information moved to another organisation, then the controller must do so, free of charge, within four weeks.
Additionally, the individual has a right to view all the information that a company is holding about them, how long they have stored it for and who gets to view their data. The reason behind this is to ensure that all companies are being transparent and truthful regarding personal information.
It is considered the company’s responsibility from protecting themselves against security breaches, and telling their data protection team about the attack. The GDPR has implemented a 74-hour window whereby a company must report their attack to authorities as well as the owners of breached data, otherwise they could face serious fines.
Those who fail to contact their data protection agency and those affected within the 74-hour window could face a fine of either 2% of their annual worldwide revenue, or $10 million (whichever is higher). That is a massive chunk of an annual turnover!
With this, if you don’t follow the basic and lawful principles for processing data such as ignoring the consent of the individual or ignoring their rights or requests and transfer their data, your data protection authority could issue a penalty of $20 million or 4% of the global annual turnover (whichever is more).
Despite leaving the European Union, Brexit will be no excuse to opt out of the law enforcement. Since the UK has not yet triggered Article 50, which sets in motion the act of leaving the EU over a two-year period, the GDPR will still take effect. However, when we eventually do leave the EU, the GDPR will be adopted into UK law due to its emphasis on personal data protection (with possible leverage). The UK, in August 2017, put forward a new Data Protection Bill that is almost identical to the GDPR. Once this is accepted, the UK Government will aim to put this in place once the GDPR is no longer applicable to the UK once we leave Brexit.
It has never been more important for you and your business to be fully aware of what data your company holds, uses and stores. It’ vital that businesses take great care ensuring that their company complies with the new requirements, and it’s best not to leave it down to the last minute; ensuring you have insurance and tracking of all your data is something that takes time and effort to do, but doing so could save your business thousands to millions of pounds if done correctly. Some companies are enquiring about staff GDPR training, and hiring a GDPR specialist to overlook the system and ensure the company is following lawful procedures. With this, proving that your company takes pride in the security of consumer’s privacy of information is a key selling point, and can reduce the possibility of public scrutiny if you were to be prosecuted when this rule takes place. The GDPR seeks to purify the usage of personal data which, in today’s age, is often taken for granted; if your company demonstrates understanding and supports this notion, you can only receive positive feedback. If you want to find out more about how to comply with the GDPR, click here.