What is GDPR?
Effectively an EU Law (Regulation) designed to protect the personal data rights of EU citizens.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Why should I/my business care?
If you don’t follow the regulation, you are unlikely to be able to satisfy the stringent criteria around personal data, this could lead to your data subject(s) complaining to the ICO and ultimately financial penalties.
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million whichever is greater. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessments. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Does it apply to me/my business?
If you process personal data for EU citizens then it will almost certainly apply to you.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What if I ignore it?
Be prepared for a knock on the door by the Information Commissioners Office and quite possibly a fine as indicated above as well as potentially damaging your business’s reputation.
Indicative difference in the level of fines.
From an analysis of data protection fines conducted by the NCC Group.
According to the study, data protection fines imposed by the Information Commissioner’s Office (ICO) against British companies in 2016, would have totalled £69 million had GDPR applied. Compare this to the fine actually imposed – £880,500 – that is a significant difference of £68,119,500.
Source: NCC Group
So what should my business do now?
GDPR Comes into full effect on the 25th of May 2018 and will immediately become law.
It is imperative that all ‘in-scope’ businesses have made every effort to comply with the regulation by this date.
- Encourage your business to learn as much as possible about the GDPR
- Work out where you stand with respect to the regulation
- Create a plan and secure budget to remediate any deficiencies
Businesses who do comply will most likely gain a competitive advantage – and will be looked upon favourably by the ICO should complaints be made or a data breach occur.
Businesses who are ‘on the path’ and are able to demonstrate significant progress towards meeting the regulation will similarly be looked upon more favourably than the remaining category.
Business not covered by the above and who fall into the
- ‘done nothing’
- ‘what is GDPR’
- ‘thought we could get away with it’ etc.
Are likely to attract punitive fines, generate adverse publicity, and at least in the early stages could become the highly publicised examples of what happens if you ignore the regulation.