This is the long needed update to the 1995 Data Protection Act and this new regulation aims to protect individuals from having their private information used without consent or in a manner that they were not privy to. It also aims to make companies more accountable for sensitive personal data and its protection.
Generally speaking this new legal regulation is good news for us as individuals. Technology has grown very rapidly whilst regulation has been lagging well behind. I find it strange to find myself telling you that this is good news because regulation isn’t traditionally thought of as a positive thing when it comes to innovation and creativity but progress cannot be at the cost of an individual’s privacy and well being.
Breaches of the regulation can incur a fine of up to 4% of annual global turnover or €30 million (whichever is greater) so it’s worth taking some time to consider if you should be making any adjustments to your business.
You need to take action if you store information on individuals e.g. their name, email address, date of birth, computer IP address, bank details, etc. This is normally termed as personal data. This applies to both the entity who determines what this data is used for and the entity that does the processing. When I say processing, this could also include storage. Therefore if you ask for personal data from your customers or you process your client’s data (which happens to include personal data) then you need to take action.
This is nothing new, but how it is applied has changed. It now applies to the processing of personal data by companies in the EU regardless of where that takes place. It also covers the processing or storage of data relating to an individual who resides in the EU.
So if your company is in the EU, you are responsible for any personal data that you use regardless of where the processing takes place. If your company is outside of the EU but you provide services for persons within the EU then this regulation also applies to you.
Make sure that all the personal data that you collect is pertinent to your business, i.e. don’t collect data that is not needed. Minimise what information you need to store.
Notably, this regulation applies to cloud service providers as well as those who use these services so make sure that you know that the data you use is compliant wherever it is processed. If you use a provider outside of the EU, you need to make sure that they are aware of these new regulations and be sure that they will adhere to regulations too.
You only need a Data Protection Officer if your core activity is the processing and/or monitoring of personal data on a large scale or of that relating to criminal activities.
Well it doesn’t have to be a hacker that can compromise your business. Data theft can also be undertaken by employees too so you need to make sure that your systems and policies take all of this into account.
If this nasty event does occur then you are best owning up as soon as possible. The regulations stipulate that notification of a breach must be done within 72 hours of you first becoming aware. When you think about the length of time Talk Talk or Yahoo took to notify their customers of their data breach, you can understand why.
But we’re leaving the EU so is this really relevant to me? Well, we aren’t leaving until 2019 at the earliest and it is very likely that the UK will implement a regulation largely similar to that of the GDPR. So I would say, yes, this is still relevant to your business.
Top 5 mistakes to avoid when publishing on the internet.
Full postLeaving the EU will bring both threats and opportunities
Full postUsing the same channel to sell items on different sites
Full postThis is a response to Willard Foxton's recent article on the Daily Telegraph blog
Full post