It’s official. It was widely expected that the EU data protection rules contained within the General Data Protection Regulation (GDPR) would be implemented by the UK, regardless of the exact status of our relationship with Europe on 25th May 2018. In the Queen’s Speech, on the 21st June 2017, the government confirmed that this will be the case, to help the UK maintain ‘its ability to share data with other EU member states and internationally after we leave the EU’.
In addition, a new Data Protection Bill will also be introduced to parliament, reflecting the plans outlined in the Queen’s Speech and helping to ease the way through the Brexit negotiations and into the future. The new bill, replacing the Data Protection Act 1998, together with the adoption of the GDPR, will enable the UK to retain its ‘world class’ data protection regime.
Regardless of Brexit, the 1998 DPA needed an overhaul. Technology has moved on and the attitude towards secure data handling has also changed, especially in the recent light of the Wannacry and Petya incidents. Alongside the government’s general aim to ensure data protection rules are ‘suitable for a digital age’ will come some more specific requirements which will have legal authority and the potential for punitive action if they are not complied with.
Exactly what those requirements will be are not fully clear but they will include the ‘empowering [of] individuals to have more control over their personal data’ and the ‘right to be forgotten’ if they no longer want a company to process their data.
The announcement is what many companies have been waiting for to accelerate their GDPR compliance programme. With less than ten months before it becomes law, however, acceleration (and rapid acceleration at that) will be necessary for those who have not yet started the process. Those who already have a robust information security strategy in place will not find the adjustment too onerous. Every business, from SME to large corporate will need to ensure that they will comply because the GDPR has sharp teeth.
At the moment the Information Commissioner’s Office (ICO) can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR becomes effective, there will be a two-tier sanction regime with the most serious violations resulting in fines of up to 20 million Euros or 4 per cent of turnover.
It has been estimated that ICO fines would be 79 times higher under GDPR. That would mean a fine like Talk Talk received for £400,000 would be around £59 million once the GDPR had been adopted. It is also worth noting that under GDPR any third parties which process data on someone’s behalf will be just as accountable as the data processor.
SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.