New legislation brought forward by the government this summer, will give people the right to force social media and other online traders to delete personal data about themselves. This move by the UK government is a clear indication that the UK will comply with the EU’s General Data Protection Regulation (GDPR), which will come in to force in May 2018. It also highlights that the UK government wants to help to ensure that data can continue to flow freely across our borders after Brexit.
The GDPR aims to make it easier for EU citizens to manage and understand what data of theirs is held by organisations whilst updating cybersecurity regulation.
What does this mean for UK organisations?
The pressure is on for UK organisations to comply with the EU’s GDPR. Organisations will have to ask clients and customers to opt-in, in order for them to be able to collect personal data. The Information Commissioner’s Office (ICO), will have the authority to impose stricter penalties for non-compliance of up to 4% of global annual turnover or £17 million, whichever is higher.
Whilst this is a marked increase on current penalties (maximum £500,000), the ICO remain committed to guiding, advising and educating organisations about how they can comply with the law. They maintain that a fine is the last resort.
The GDPR will apply to ‘personal data’ that is held about employees. Organisations will no longer be able to consider someone’s silence or inactivity as consent, they will need to ensure that they are explicit when seeking consent and detail how information will be used.
The ICO have information including 12 steps to take now to prepare for GDPR. Broadly you should check your current procedures for data protection and plan how to update them to comply with the changes in law. For example, do you have adequate systems in place to manage data breaches? The GDPR requires it to be reported within 72 hours of discovery. Do you need to formally designate someone as a Data Protection Officer to take responsibility for data protection compliance?
There is a long way to go for compliance, experts have identified challenges, such as identifying and defining exactly what constitutes as ‘personal data’. Preparing your business for GDPR compliance might seem daunting but keeping updated and using information from the ICO should help to make sure your organisation is compliant.