On the 25th May 2018, Europe’s data laws will undergo their biggest change in twenty years. The existing laws were created in the 90’s and in the following two decades the amount of data created and used has increased drastically, making the legislation outdated for the modern age.
The European General Data Protection Regulation (GDPR) replaces the 1995 data protection directive, which current UK business adhere to. This new regulation is intended to harmonise European data privacy laws and give individuals much more control over how their personal data is used.
The European Parliament and European Council adopted GDPR and created the regulation and its directive in April 2016 and set out a two-year timescale for affected parties to prepare for the changes. Companies, Organisations and Individuals that control or process personal data will be affected by these changes.
How is GDPR different?
1) Individuals will be able to access their personal data much more easily.
2) There will be hefty fines for companies that are found to be in breach of the regulations.
3) Organisations will be required to obtain clear consent from an individual they collect information about.
In the case of a data breach (personal information being accessed by an unauthorised party of the loss of your personal data) The Information Commissioner’s Office (ICO) in the UK will need to be notified by the business or organisation reporting the breach within 72 hours or they will be fined. Parties holding personal data will also need to document how this data is stored and used.
One great bit of news for individuals is that the £10 fee for a Subject Access Request (SAR) is being scrapped and companies must release requested data within 1 month.
With automated data processing, individuals must be notified of any changes to their data and how a decision has been made due to this change.
Individuals can also request for their personal data to be erased in some cases if consent is withdrawn, if this was unlawfully processed, if there is no legitimate interest or if the data is no longer fit for purpose.
In the UK, the ICO will enforce the new regulation. Following Brexit, a new Data Protection Bill is being implemented in the UK, which largely incorporates the provisions of the GDPR.
The GDPR for businesses outside of the EU can still have major implications. If you process data belonging to individuals that live and work in the EU, you will still need to comply with certain aspects of the directive.
In summary, the GDPR is a modernising of data protection laws to create a far safer and more transparent environment for personal information handling and processing, with compliance being the key factor. Businesses and Organisations will be more open and accountable and that is a great thing for everyone concerned.
The main point to take from this article is that any business that holds or processes personal data of EU individuals, needs to understand exactly what they must do to be compliant when the new regulation comes into place. If this is you, or you are unsure, then seek advice as early as possible to give you more time to comply. To some, it may cause no change, or require some minor adjustments, but to others it could involve lengthy tasks so it’s important to start the process of compliance as soon as possible.
Pearce IT provides GDPR consultancy and support to businesses, so if you haven’t yet checked what needs to be done, contact us and we can advise you on what you need to do. As a Microsoft Silver Partner Pearce IT only work with UK Hosting companies to comply with data protection and every solution we provide is fully GDPR compliant for our client’s peace of mind.