Currently, UK businesses operate under the Data Protection Act of 1998. While 1998 may not seem too long ago for many of us, in internet terms it might as well be the Dark Ages. The World Wide Web of 1998 shares little in common with that of today, and it’s high time that the rules caught up with the reality.
As of the 25th of May 2018, all UK businesses will be required to comply with the new GDPR. But with just 6.5% of businesses describing themselves as ‘very prepared’ for the upcoming changes, it’s fair to say many businesses may not know exactly what they entail.
Data Subject Rights
One major aspect of the new GDPR is the strengthening of data subject rights. When collecting personal information, businesses need to clearly state who it is that is controlling the collected data, and for what purpose the business is collecting it. The identification of the ‘controller’ of the data allows for far greater accountability. The ‘right to erasure’ – the ability for an individual to get themselves completely removed from the internet – is another key feature of the new regulations. The onus will be on the business to delete any applicable data without undue delay.
Penalties for Non-Compliance
The new GDPR will be a far more actionable piece of legislation, with strict guidelines set for businesses in order to achieve compliance. What happens if you don’t comply by May 2018? Well, even with the vagueness inherent in the outdated DPA of 1998, there has still been a concerted effort by the UK Information Commissioner to clamp down on non-compliance. The figures of the last few years tell the story – from 2 fines totalling £160,000 in 2010, last year saw 21 fines totalling £2,155,500. With far firmer guidelines to work with, these figures are expected to rise. An original theoretical maximum of £500,000 (no previous fine was above £400,000) will now increase to an upper limit of €20 million or 4% of annual global turnover – whichever is greater.
How to Comply
The international standard for information security management, the ISO 27001, is as good a place as any to start your compliance journey. By adopting an ISO 27001 compliant information security management system (ISMS) within your business, you’ll be well on your way to meeting the new guidelines. Over and above that, perform a self-audit that measures your business’s current DPA/GDPR compliance, and analyse exactly what the new regulations will require from your business. The GDPR may seem overwhelming, but by taking a proactive approach to compliance you’ll be protecting your business from what could be a truly debilitating fine.