There are now just 722 days until the EU’s new General Data Protection Regulation comes into force on 28 May 2018.
It will have a huge impact on UK firms, even if we leave the European Union, and several notable provisions are included in the law.
However, recent data shows that many organisations, across all sectors, are still losing data left, right and centre. With that in mind, V3 has put together a quick list of the key requirements the new law will place on organisations.
1. It’s a regulation, not a directive
This means that the law will apply equally in all nations across Europe, which should bring uniformity and clarity to businesses operating in different countries or looking to expand.
It also means that firms from the US processing data on EU citizens must adhere to the law, even if they have no presence in any European nation.
2. Larger fines
The biggest fine an organisation can face from the UK’s Information Commissioner’s Office (ICO) is currently £500,000 (although it has never issued such a large penalty).
However, under the GDPR these powers will increase to €20m or up to four per cent of a company's global annual turnover, which ever is higher.
3. Firms of over 250 staff must employ a data protection officer
The EC wants to ensure that large organisations processing a lot of data have someone who takes responsibility for that information, and having a data protection officer role is part of the new law.
However, this applies only to firms with over 250 staff in an effort to reduce the burden on SMEs. Smaller firms may still need to employ someone in this role if handling personal data is core to their operations.
This may not have to be a full-time employee, but could be "an ad-hoc consultant, and therefore, would be much less costly”.
4. Rapid notification of breaches
One big change is that the GDPR will require firms to notify data protection authorities, such as the ICO in the UK, of any data loss incidents as soon as possible, which the EC suggests should be within 24 hours “when feasible”.
How often this is adhered to will be one of the most interesting elements of the new law when it comes into force, and organisations would do well to bear this mind as if it does become the norm they will have to get used to acting promptly to any incidents.
5. Right to move data or have it deleted
Organisations must make it possible for people to have their data removed from a database if there is no legitimate reason to keep it.
Similarly, citizens can request that their data be moved from one provider to another if they want to change from one firm to another, which the EC said should promote competition among businesses.
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Successful attack could result in harm to patients and financial loss, warns NHS governing body