In 2018, new rules will come into force regarding Data Protection, called the General Data Protection Regulations ( GDPR ). These changes will impact the way your business must treat data in general, besides adding how you must mitigate any breach that occurs.
Whilst the final wording has yet to be agreed (and as such, the finer details remain unconfirmed), the Direct Marketing Association (DMA) has issued a couple of articles to help guide you through some of the more pertinent parts of these new Regulations. These will at least give you a flavour of what is about to come into play and allow you to prepare for the changes. I have summarised these below, including a link to each DMA article, which will give much more information.
GDPR – Breach Management and Data Security
No legitimate company wants to breach Data Protection law, but many fall foul, even now. Recent years have seen many high profile breaches occur – Talk Talk, Sony, even Government Departments – and with the laws getting tighter still in 2018, you need to be sure you’re compliant. That said, it’s not only hackers that grab the attention of the enforcement bodies – human error is also a major issue, as is poor data security.
The new Regulations will bring into force not only rules which will need to be abided by on data security itself but also rules that must be followed in the event of a breach. These rules go into some detail and, as you might expect, have several exceptions. All I can say is that it’s worth knowing your obligations as a company and as an individual since I doubt there will be much sympathy for any company that commits a breach. Furthermore, with apparent fines of up to 4% of a company’s global turnover or €20 million (whichever is the highest!), any lack of knowledge could prove costly.
GDPR – Accountability and Staffing
Most companies, I imagine, will already take seriously the protection of their customers’ and contacts’ private information. If they don’t, they certainly ought to!
What the GDPR will do is place an actual legal obligation upon them to do so. When I say this, I mean the onus will not only be on the company as an organisation that may presently pass any Data Protection related queries to its legal department but as an organisation that must ensure its employees know exactly what the company’s Data Protection policy is and how it must be actioned.
Certain companies will also be obligated to have an appointed Data Protection Officer (DPO), whose responsibilities will be to ensure understanding and compliance throughout the company.
No doubt as we inch closer to the date of the implication of the GDPR, more DMA and ICO articles will appear. In the meantime, the next milestone is in April this year, when the final text is expected to be published (although it wouldn’t surprise me if it was changed again before implementation). Data Bubble will continue to follow this news and we will publish blogs, as well as include articles in our Newsletters and social media, to keep you informed. In the meantime, we hope you find this helpful.