Addressing rising data costs
The General Data Protection Regulation replaces the Data Protection Directive 95/46/EC, and came into force May 2016, with a 2 year grace period. It will be enforced from 25th May 2018, at which time organisations who are not compliant could face heavy fines of up to 4% of annual global turnover or €20 million, whichever is higher.
Brexit and article 50 whenever it is triggered, have a 2 year timeline, meaning businesses in the UK will need to comply for a short time at the very least. On top of this, if and when the UK exits the EU, it is likely to adopt the GDPR in order to facilitate trade partnerships within the EU. If companies trade with or have a presence within the EU they will also need to comply with these regulations indefinitely. It applies to all companies processing personal data of subjects who reside in the EU, irrelevant of where the company is located.
Had Tesco Bank been subject to the rules of GDPR following the Cyberattack back in November 2016, it would have potentially faced a fine of £1.9 billion.
What is personal data?
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
How will it affect me?
To summarise, the key changes are:
Consent to record information must be clear and distinguishable, using plain language. It must be as simple to withdraw consent as it is to give it.
Data processors must inform customers and data controllers within 72 hours of any breach of data
Right to access
Ability to inform the data subject whether an organisation is processing any personal data on that subject and able to provide in a digital format a copy of the personal data held.
Right to be forgotten
Entitles data subjects the right to have their personal data erased upon request.
The right of the data subject to receive the data concerning them in a readable format and the right transmit this data to an alternative controller.
Privacy by design
This calls for data protection to be built into the design of new systems as opposed to as an addition to a new system
Data Protection Officer
DPO appointments are required for organisations whose core activities require regular monitoring of data, data of special categories or relating to criminal convictions and offences.
How are costs going to rise?
As previously noted there is the potential cost of fines if not compliant by 25th May 2018
For many organisations, there will also be an increase in cost where organisations data is not in compliance with GDPA requirements. This would include the processing of personal data, ensuring that it is accessible and safe.
Cost to become compliant can differ from business to business but reports have suggested that budgets for data management are set to rise by at least 10%.
How can Procura Solutions help?
We have Framework suppliers who can provide cost effective and - importantly - compliant data management services. Ensuring that you are in line with the GDPR when it is enforced and at the same time help to ease the financial burden of ensuring compliance.
Get all the benefits of full membership - click here to join Procura Solutions today.