On May 25th 2016 the European Council published the General Data Protection Regulation. (GDPR)
The council effectively produces three types of legislation, the first are Decisions. They may be addressed to particular member states, individuals or companies. They are only binding on those to whom they are addressed
The second is a Directive. Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose Directives into national laws.
The third type is the Regulation. These are addressed to all member states and are applied in full. They are applicable without the need for national legislation. Normally Regulations will start in all member states on the same date.
As it’s name implies, the GDPR is this third type and will probably not be watered down or altered by the UK Government or the Information Commissioner. (ICO)
Getting GDPR wrong will be expensive
There are many things in the GDPR which will have a great effect on companies in the UK. Probably the most contentious will be the level of fines applicable if a company gets the implementation wrong. For serious offences you could be fined €20M or 4% of their world-wide revenue – yes, revenue not profit, meaning that some of the largest companies could potentially face fines in excess of €1 billion. For lesser breaches the fine is up to €10M or 2% of world-wide revenues – still an immense amount of money.
Large organisations will also need to look at whether they need to employ a Data Protection Officer (DPO). Sometimes they will be mandatory – companies handing large amounts of sensitive data, local authorities for example. Consequently companies will need to think ahead – if the company wants to develop into an area where a DPO is a requirement, there is no way that one will be “bought off the shelf”
Permissions of consent are much stricter. It won’t be possible to rely on inaction to get an affirmative response (pre-ticked boxes on web pages) and companies dealing with people under the age of 16 will have to get parental consent rather than that of the child. As a result this will mean a great deal of work in re-writing all those coupons and web pages.
In addition databases and applications will have to be designed with Data Protection and Security as their first concern.
And furthermore these are just a few………
Contact us today to get an introductory meeting set up to see if we can help you through the next two years