Till now, businesses in the UK run under the Data Protection Act 1998. The act implemented the EU Data Protection Directive 95/46/EC. It is a framework that was constituted when people had a very little online presence, the user data barely contained any sensitive and harmful information and when data was managed in very manual and old-fashioned way.
As we ascended into this digital era, there was a revolutionary change in the magnitude, types and the rate at which data was being produced. Many discussions have been going on in the EU for the past few years regarding the implementation of a new set of rules to better control the flow of data in this new age of technology.
European Parliament and the Council formally adopted GDPR in April 2016. It was published in the Official Journal on 4th May 2016 and came into force on 24th May 2016.
There’s a two year implementation period before it comes into effect. From 25th May 2018, all businesses will need to comply with the provisions of GDPR.
The GDPR focuses heavily on providing individuals greater control over their private data. It includes a lot of new and increased obligations. Businesses that reside in EU or deal with the residents of EU member states from anywhere in the world will need to adhere to such obligations, including the elements described below:
Rights of Individuals
- The Right to Be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data portability
- The Right to Object
- Rights in Relation to Automated Decision Making and Profiling.
Breach & Notification
GDPR requires the controllers to report any kind of personal data breach to the authorities (ICO) without any undue delay, within 72 hours of detecting the breach.
In certain cases where the breach of data poses an immediate threat to the individual’s rights, the data controllers are also obligated to inform the person of the data breach with no undue delay.
However, GDPR provides following exceptions to this additional requirement to notify the data subjects:
- The data controller has followed ‘appropriate security protocols’ to see through that data in question is unintelligible in the wrong hands, for eg: Encryption.
- The data controller has taken relevant steps to make sure that ‘high risk to the person’s rights and freedom’ are unlikely to occur.
- When notifying each person in question about the data breach involved ‘involve disproportionate effort’.
What happens if you don’t comply with GDPR Guidelines
Previously, with the Data Protection Act 1998, the monetary penalty was a maximum of £500K. Under GDPR, the potential amount that a data protection supervisory authority may impose will be increased substantially. A maximum fine of up to €20m or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher will be imposed on the organizations that don’t follow the rules.
Individuals also have right to claim for any damages that they receive due violation of the GDPR.
Businesses must understand all new and enhanced regulations and make sure their data management practices follow these new guidelines. It is crucial for every business now to alter their data management regimes to avoid the risk of falling behind.
How YourSafeHub can help you avoid such penalties
According to ICO “You must act upon the subject access requests without undue delay and at the latest within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.” Now, handling so many subject access requests within the legal timeframe is not an easy job. Any undue delay in complying with these requests result in high penalties, so any inconsistencies are inexcusable and unaffordable. Here’s why YourSafeHub can be a lifesaver for you.
YourSafeHub provides you with:
- An easy to use reporting system for your customers.
- It allows them to file a subject access request with the company instantly with a few simple clicks.
- YourSafeHub categorizes these subject access requests on the basis of urgency, directly relating to ICO deadlines.
- It provides you with an interactive management system to manage these subject access requests properly.
- It regularly notifies and alerts you about the deadlines.