There has been a lot of scaremongering and uncertainty circling the upcoming GDPR, so we thought we would set out that changes in plain English. So here they are –
The law is enforced on Friday May 25th, 2018.
It replaces the previous 1995 data protection directive, which current UK law is based upon.
At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them. However, the new rules under the GDPR is that requests for personal information can be made free-of-charge and need to be handed over within 1 month.
If the GDPR rules are broken by a company, then fines of up to £10 million or 2% of a firm’s global turnover (whichever is greater) can be given. Those with more serious consequences can have fines of up to £20 million or 4% of a firm’s global turnover (whichever is greater).
Data is counted as any information related to a person or ‘data subject’ that can be used to directly identify that person. Anything from a name, photo, email address, bank details, social media posts, medical information, sexual orientation or a computer IP address is classed as personal data.
A Data Protection Officer (DPO) must be appointed if a business is a public authority, an organisation that engages in large systematic monitoring or is an organisation that engages in large scale processing of sensitive personal data (like any of the examples above).
Conditions for consent have been strengthened, and businesses will no longer be able to use hidden terms and conditions as the request for consent, it must be separate and easily legible. It also must be easy to withdraw consent at any time.
Any breaches in data will become mandatory to notify the ICO and any at risk customers whose data has been involved. This must be done within 72 hours of the business being made aware of the breach.
This is in light of the breach In October 2015, where cyber criminals took advantage of technical weaknesses in TalkTalk’s systems, resulting in the compromise of 157,000 customers’ personal details.
TalkTalk’s eventual financials revealed the true costs of the breach to be around £60m in 2016 alone. As customers left and their reputation was damaged, as well as a £400,000 fine, preventing the breach would have saved TalkTalk hundreds of millions.
Although the GDPR says very little about technical security controls, it does refer to pseudonymisation and encryption as appropriate safeguards for personal data.
Encryption is the process of converting information or data into a code, especially to prevent unauthorized access. Pseudonymisation is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Pseudonymisation, therefore, may significantly reduce the risks associated with data processing, while also maintaining the data’s utility.
Have an opinion? We’d love to hear your thoughts. Tweet us @nimbusmaps.