The General Data Protection Regulation (GDPR) has been on the radar of many businesses for a while now. It's an act which is the result of four years of preparation and debate by the EU to ensure that data is handled and stored in the correct way in businesses throughout the UK and EU. Yet, according to our own research, 21% of businesses do not know how they will prepare for compliance over the next few months.
The reality is that if you are already complying with the Data Protection Act (1988) then you may not need to make too many changes within your organisation. If you are unsure whether you comply with the Data Protection Act (DPA), the Information Commissioner's Office (ICO) have put together a handy self-assessment toolkit which can identify if there is anything else which you need to do.
Making the step up to GDPR compliance will vary from business to business throughout the UK and EU; for example you may have to dedicate a member of the team to ensure GDPR compliance, or specific teams will need to be taught about what needs to be done to prepare for GDPR. It’s important to start putting measures in place now to ensure that you are prepared for the GDPR 2018 and are aware of the potential fines associated with non-compliance.
GDPR checklist
The GDPR applies to ‘controllers’ and ‘processors’ of personal data; controllers state how and why personal data is processed, processors handle the overall processing of data.
To help you and your business prepare, the ICO have put together two new checklists – one for data controllers, and another for data processors. If you are unsure if you are a controller or processor of data then it would be advisable to complete both assessments.
Data controllers
The checklist for data controllers will help data controllers to assess a high level of GDPR compliance with the new GDPR legislation. It will include new right of individuals, handling subject access requests, consent, data breaches and designating a data protection officer.
Data processors
Understand and assess your business’s high level of compliance with this checklist for data processors. It will include the new requirements for data processors, the right of individuals, data breaches, and designating a data protection officer.
GDPR fines
Until the GDPR is enforced in May, businesses who fail to adhere to the Data Protection Act 1988 (DPA) could incur fines of up to £500,000. But this will soon change when the new regulation is introduced.
Ever since the EU General Data Protection Regulation (EU GDPR) has been first mentioned, the increase in administrative fines for non-compliance has been the main concern for most businesses.
GDPR fines are discretionary rather than mandatory. They'll only be imposed on a case-by-case basis and will be based on the specific articles of the regulation that the organisation has breached.
There are two tiers of fines which can be levied;
- Up to €10 million, or 2% annual global turnover - whichever is higher
- Up to €20 million, or 4% annual global turnover - whichever is higher
When deciding whether to impose a fine and the level, the ICO will consider the following criteria:
- The nature, weight and duration of the infringement;
- The intentional or negligent character of the infringement;
- Whether any action has been taken by the organisation to mitigate the damage suffered by individuals;
- If technical and organisational measures have been put in place;
- Any previous infringements;
- The degree of cooperation to remedy the infringement;
- Types of personal data involved;
- How the regulator discovered the infringement;
- The manner in which the infringement became known to the supervisory authority, in particularly whether and to what extent the organisation notified the infringement;
- The extent in which the controller or processor notified the infringement; and
- Adherence to approved codes of conduct or certification schemes
It’s important to note that not all infringements will lead to serious fines.
The ICO has a range of corrective powers and sanctions to enforce the GDPR, besides than imposing hefty fines. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third parties.
Related articles
- Log in to post comments