Firstly GPDR stands for General Data Protection Regulation and comes into force on 25th May. The recent stories about the use of Facebook data has brought into focus why these rules are being introduced. The trouble is that for the smaller business they are, potentially, an admin nightmare.
The key issues you need to understand and demonstrate capability for, it seems, are:
- Why are you holding this data, is it still justified? If not it should be deleted. So holding ongoing customer data is ok but a customer that left you a year ago probably not.
- Consent to hold data must be explicitly given and not as a result of not opting out. You must also store how consent was given.
- Online identifiers such as IP addresses now qualify as well as personal data – so wifi logins are impacted
- People can ask for access to their data at “reasonable intervals”, and you must generally respond within one month
- Any data breaches must be notified within 72 hours of you becoming aware to the Information Commissioner’s Office
We are going to talk penalties here. The numbers are, potentially, big but remember that the Information Commissioners Office (ICO) has already stated that penalties are a last resort. They want you to be compliant and so will ok with you, rather than starting with fines and going from there.
- Failing to meet the 72-hour deadline could mean a penalty of up to 2% of annual worldwide revenue, or €10 million, whichever is higher.
- Failure to follow the basic principles for processing data, such as having a legal basis for doing so, ignore individuals’ rights over their data, or transfer data to another country, the fines are even worse. This could be a penalty of up to €20 million or 4% of global annual turnover, whichever is greater.
For those that recall the issues TalkTalk had with breaches of its web site and loss of data in 2016 for which they fined £400,000 under these rules the fines could have been as high as £59 million.
If you’d like to know more about the key issues involved with GDPR, please don’t hesitate to contact us.