There’s been a lot of talk in the media over the last 12 months about GDPR, but what is it, and what does it mean for you?
GDPR stands for General Data Protection Regulation. It is a new EU regulation governing how organisations should handle and protect our personal data. It replaces the current UK Data Protection Act 1998.
The GDPR updates the stipulations set out in the Data Protection Act for the digital age. Simply put, organisations need to keep records of all personal data, show that consent was given, show where the data’s going, what it’s being used for, and how it’s being protected.
The new legislation puts more emphasis on responsibility and accountability for businesses dealing with personal data. Sanctions for non-compliance have also been increased, with fines up to 20 million euros or 4% of worldwide turnover, whichever is greater. For large worldwide businesses, that could amount to billions of euros.
Under GDPR, the reporting of a data breach is not subject to any minimum standard. For example, if personal data gets stolen after a cyber-attack, companies must report the breach within 72 hours of realising it, regardless of how many records are affected. The definition of personal data is also expanded to include any identifying information such as your computer IP address or genetic make-up.
Another key aspect of GDPR is Right of Access. Under the current Data Protection Act, individuals are able to make a Subject Access Request for the personal information a company holds about them. This ordinarily incurs a small administration fee. Under GDPR the timescale a company has to respond to these requests will decrease from 40 calendar days to one month, and in most cases (unless the request is manifestly unfounded or excessive) the administration fee will no longer apply.
The GDPR will replace the UK’s Data Protection Act 1998 from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not change this. Lots of effort has taken place over the last 12 months to ensure Advantis is in line with the new regulations in readiness for the May implementation date.
If you’re interested in reading more about GDPR, the Information Commissioners Office have published a useful guide to GDPR which can be found here.