March 29, 2017 admin

Some Hard Facts About the GDPR

1. Brexit

Many business owners are assuming that because the UK has voted to leave the European Union – especially since article 50 was triggered making this formal – that the GDPR will no longer need to be implemented.

This is not the case. The ICO have indicated that business will be required to comply by 25th May 2018 along with the rest of Europe. Additionally, it is foreseen that during the enactment of the Great Repeal Bill when the UK officially leaves the EU in May 2019, all the current statutes of the Union will be absorbed into UK law – the GDPR included. There is also the matter of trade with Europe. It will be a condition of doing business that involves personal data of an EU citizen that the GDPR is complied with. Remember, even when we are out of the EU and even if we drop the GDPR there will be many EU citizens living in the UK. Therefore, it is so unlikely to be dropped so we may as well get on with it.

2. The ICO are going to issue fines.

The ICO have recently fined some high-profile businesses under current legislation as part of a crackdown. It has also indicated that it will be fining under the GDPR for non-compliance and for breeches of the regulations. The maximum fine under the GDPR will be €20 million or 4% of the company’s global turnover, whichever is higher. This level of penalty can financially ruin a company – it is not advisable to ignore one’s obligations.

3. Personal data breaches must be reported within 72 hours

Firstly, lets explain what constitutes a personal data breach. The GDPR defines a personal data breach as:

Article 4(12) personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

So, it isn’t just theft or unauthorised access. If you cannot access data because of a virus or ransomware attack, you must notify the ICO.

You are required to notify the ICO within 72 hours of being aware of the breach. You need to assess the likely impact to the data subjects (people) concerned of the loss and possibly inform them as well. When reporting a breach, there is a lot of information that needs to be put together and not much time to do it. It is vital to have a breach plan to guide you and speed up the process. Failure to report within the given timescales without good reason (and not having a plan isn’t a good reason) may result in a fine.