What It Means To You
After 4 years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. On 25th May 2018, the new General Data Protection Regulation (GDRP) will come into force. The GDPR replaces the existing Data Protection Act 1998 governing how data is managed. It applies to all businesses in the European Union (EU). The GDPR will form part of UK law following the countries withdrawal from the EU. The GDPR was designed to harmonize data privacy laws across Europe because of developments in internet and cloud technologies. There are now so many ways to collect and store personal data that new measures are required to ensure that personal data is kept safe and is only kept for legitimate purposes.
What Constitutes Personal Data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
GDPR Timeline Of Events
GDPR places a strong emphasis on accountability and transparency, holding businesses accountable for safeguarding the collection, usage and storage of client personal data. Companies that use 3rd party software such as payroll or accounts packages will need to ensure these systems are GDPR compliant. Businesses are required to identify a lawful basis for processing client personal data fairly, accurately and be kept in a form which permits the identification of data subjects for no longer than is necessary. It is advised that businesses ensure that they have detailed procedures in place to detect, report and investigate a personal data breach. Failure to prevent a data breach can result in fines up to 4% of the total annual worldwide revenue or €20 Million. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
TLP has outsourced a professional GDPR audit company to make sure our client have peace of mind that their data is secure. Further guidance in relation to complying with the GDPR requirements can be found on the Information Commissioner’s Office (ICO) website – https://ico.org.uk/