GDPR stands for “General Data Protection Regulation”. It is a new EU law that intends on giving individuals more power over their personal data. The new law came into place on 25th May, 2018. GDPR gives more power to individuals (the data subjects) by providing them with more rights. The right to erasure, rectification, and portability to name a few. (Read more about Data Subject Access Rights (DSARs) here).
Despite this being an EU law, the regulations will affect any organisation that holds data on EU citizens. A company based in the United States or Australia will have to be GDPR compliant despite not residing in the EU if they hold any PII (Personally Identifiable Information) on an EU citizen – even if it is only one person they hold data on.
Hence, this should answer any questions as to whether the UK will be affected by GDPR post-Brexit. UK companies will undoubtedly hold data on EU citizens and will therefore have to comply with the regulations.
The governing body in the UK for anything related to data protection is the ICO (Information Commissioner’s Office), and they will be the overseers of GDPR in the country. The ICO has been called into action investigating large organisations such as Facebook and Cambridge Analytica after a data breach that left both companies liable.
If your organisation experiences a data breach, you must typically notify the ICO within 72 hours of discovering the breach. You can use that 72 hours to fix the issue, notify any individuals whose data was leaked, and reinforce your security, but you must contact the ICO before that period ends. There are certain “uncontrollable” circumstances that can prolong that time period, but it is advised to contact the ICO (or appropriate governing body for your country) as soon as possible.
If your company is found at fault for any breach, it can be fined up to 4% of annual turnover, or 20,000,000 Euros, whichever is higher. These are scary figures, but the ICO are understanding, especially with smaller organisations. Leniency may be allowed for small organisations if the company is not fully compliant by the deadline, but there will be no leniency regarding breaches or malpractice of handling data.
This is the basic GDPR information you need to know. We’ve listed some sources below for you to visit to learn even more about GDPR.
There are some questions only top GDPR consultants can answer, though. So, get in touch with us now if you have any specific questions – we can and will answer any issues you have and help ensure your compliance with our services (see here.) You can also view our GDPR FAQs page here.
EU GDPR homepage: https://www.eugdpr.org/
GDPR info: https://gdpr-info.eu/