The General Data Protection Regulation (GDPR) came into force just over a year ago, on 25th May 2018, in response to the significant advancements in the field of information and communication technology, including growth of networks; the Regulation introduced a new harmonised data protection compliance regime across the EU member states and EEA together with more substantial penalties should there be breach.
Key elements to ensure compliance
Some of the key elements are, but not limited to placing the following requirements on entities handling or otherwise possessing personal data:
- Appointing a data protection office (DPO) or other person with responsibility for managing the compliance programme;
- Conducting an internal data audit and compliance review;
- Identifying the data controller(s)- both internal and external (third parties) (a data controller is a person/company that determines the purpose and manner in which any personal data is processed);
- Identifying the data processor(s)- both internal and external (third parties) (a data processer means ‘any person (other than an employee of the data controller) who processes the data on behalf of the data controller’);
- Ensuring appropriate legal grounds exist for each processing activity- e.g. (i) sending unsolicited commercial communication, (ii) data transfers to third party processors, or (iii) international data transfers;
- Implementing systems to ensure only certain/authorised employees have access to personal data;
- Ensuring appropriate data security level;
- Privacy notifications- e.g. to customers and/or employees setting out how the company’s processing activities; and
- Ensuring systems and business processes are designed in compliance with GDPR.
Consequences of data breach
The importance of the above was highlighted in September 2018, when British Airways was victim to a hacker attack which directed users to a fraudulent website, wherefrom the hackers were able to access a large amount of customer’s personal data.
GDPR increased the fines for data breach substantially to a maximum fine of 20 million euros or 4% of the annual global turnover of the Company in breach. An example of this has been confirmed in the British Airways data breach- i.e. the fine given by the Information Commission Office (ICO) was approximately £183 million (1.5% of its annual turnover in 2017); compare this with £500k which was the biggest penalty imposed under the Data Protection Act 1998.
If you have not updated your ‘Privacy Policy/Notice’ since the introduction of GDPR and/or you have any doubts as to whether you are compliant, we recommend you seek independent legal advice so that your policy, procedures and compliance can be brought up to date.
The Corporate & Commercial Department here at Fisher Jones Greenwood LLP can assist you with the preparation of a new privacy policy, offer you advice on existing privacy policies and data processing and whether they are compliant with GDPR; or any other related services; as well as assist you with the preparation of any other documentation required.
Should you require any information or assistance do not hesitate to get in touch. Please call 01206 700113 or email [email protected].
Source: BBC News