Data protection - new rules, greater personal security
Regardless of the Brexit negotiations, the General Data Protection Regulation (GDPR) comes into force on 25th May 2018. Companies will need to plan ahead to make sure they comply.
The amended regulations apply to all companies processing the personal data of people living anywhere in the EU, regardless of the company’s location.
Businesses will need to ensure they have the correct procedures in place or they risk a hefty fine of up to €20m or 4% of annual global turnover. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and person to whom the data relates about a breach of data security, or not conducting an impact assessment on that breach.
What is new, and particularly important, in this legislation is that cloud-stored data will no longer be exempt from GDPR enforcement.
The good news for individuals is that companies will no longer be able to use long illegible terms and conditions full of legalese. The request for consent to process personal data must be given in an intelligible and easily accessible form, with the reason for the data being processed attached to that consent.
The new legislation also updates the rights of people who have the personal data held by a company for any reason.
How can a business make sure it's compliant?
There are a number of key actions that can help to ensure a business meets the neww Data Protection standards. These include:
- Holding information – organise the personal data your business holds in a way that can clearly identify where it’s sourced from, who it is shared with and where it is stored
- Privacy – review privacy notices, ensure they are written in plain English and can be easily amended to allow for further regulation changes
- Consent – review the methods used to seek, record and manage consent by individuals for use of their data by your business. Assess whether changes are needed to comply with the new regulations
- Data breaches – make sure the right procedures are in place to detect and report data breaches quickly and effectively
- Data Protection Officer – designate a Data Protection Officer for the Company to take responsibility for data protection compliance.
How can I find out more?
The Information Commissioner's Office is responsible for managing the GDPR changes and has published a useful 12-step guide to help companies prepare for the changes. It also offers explanations of the changes and how they apply on the ICO website.
To find out more about the potential implications of the GDPR on holding financial data and how to stay on the right side of the Regulation, contact NWNBlueSquared.