The EU General Data Protection Regulation (GDPR) will affect every UK organisation that processes the personal data of EU residents. The new regulations will come into effect from the 25th May 2018
These new regulation are more extensive in scope and application than the current Data Protection Act (DPA), and requires organisations to develop clear policies and procedures to protect personal data, and adopt technical and organisational measures appropriate to identified risks.
The Brexit question
Regardless of Brexit, UK organisations handling personal data will still need to comply with the GDPR. The GDPR comes into force before the UK leaves the European Union, and the UK government has confirmed that the regulation will apply, a position confirmed by the Information Commissioner.
The new Regulation mandates tougher penalties than the DPA: under the new GDPR regulation organisations found in breach can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this magnitude could easily lead to business becoming insolvent.
Data breaches are becoming more regular, are increasing in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that organisations become aware of these new obligations so that they can prepare and become compliant.
DPA penalties and the ICO
The Data Protection Act 1998 (DPA) is enforced by the Information Commissioner’s Office (ICO), which has several options when it finds an organisation to be in breach of the act:
Monetary penalty notices: Fines of up to £500,000 for serious breaches of the DPA.
Prosecutions: Including possible prison sentences for deliberately breaching the DPA.
Undertakings: Organisations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO.
Enforcement notices: Organisations in breach of legislation are required to take specific steps in order to comply with the law.
Audit: The ICO has the authority to audit government departments without consent.
Increased penalties under the GDPR
When the EU General Data Protection Regulation (GDPR) is enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically.
From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
As a result of GDPR penalties will soon be very real and the organisation or business solvency being put at risk is extremely high.
Fifteen months is not long to bring an organisation to a state of compliance with the new law, which is why it’s essential to get preparing now.