The EU’s new General Data Protection Regulations (GDPR) came into force on 25 May 2018. The new Regulations will levy greater fines than ever before, with a game-changing maximum of €20 million or 4% of the company’s global turnover.
- In addition, individuals will be entitled to claim for civil damages as the result of any breaches of the Regulations.
Other changes in your processes that GDPR will require you to make:
- The right to be forgotten will have greater prominence.
- The definition of identifiable personal information will be broadened.
- Individuals will have to give their explicit consent for companies to keep their data, meaning that data retention could become a major headache.
- Businesses will be required to report data breaches within 72 hours. You will, therefore, have to ensure your company has a positive reporting culture in order to remain compliant.
- Companies over a certain size will have to appoint a data controller. Data controllers and regulators will have legal obligations under the Regulations and could be held personally liable.
Data Protection Bill
Whatever happens with Brexit, all UK companies will have to comply with the GDPR laws as they will come into force before the UK is predicted to leave the EU. The UK will subsequently bring in the new Data Protection Bill (DPB), which will replace the current Data Protection Act.
There will be few differences between the new DPB and GDPR, although the Bill will go further on the issue of the right to be forgotten on social media posts posted before someone turned 18. It will also be a criminal offence to alter records following a Subject Access Request.