It is already part of domestic UK law but will be enforced by the ICO from 25 May 2018. From that date onward the ICO has the power to issue fines under the GDPR and/or make referrals for criminal prosecutions.
The Information Commissioner’s Office (ICO) is the independent regulatory office in charge of upholding information rights in the interest of the public. It investigates data breaches and issues penalties in line with current legislation. At this point its job in relation to the GDPR is to help organisations achieve compliance through guidance and advice. From May 2018 it will continue its investigatory work with new and improved powers as provided by the GDPR.
This is dependent upon the size of the organisation at fault and the type of breach. They are categorised into two types; one with a maximum of €10 million or 2% annual turnover, the other with a maximum of €20 million or 4% annual turnover. This is a huge increase from the current maximum of £500,00. For most organisations in Northern Ireland the fines could be catastrophic. Edwards & Co. can assist you in putting appropriate policies and processes in place to help you comply. And in the event of a breach, these can be used as evidence to the ICO to mitigate a potential fine.
The ICO will issue a press release at the conclusion of any investigation outlining the breach and penalty imposed. Such publicity can be as damning as the fine.
You will need to look at your current data control and/or processing activities and see if they comply with the new regulation. If they do not they must be updated. Also, ICO guidance explicitly states that you must “refresh” your existing consents if they do not meet the new GDPR standard.
Under the GDPR consent must be freely given, specific, informed and unambiguous. This definition has a number of practical consequences when gathering personal data; you can no longer use an “opt out” tick box to gain consent. Instead you must obtain consent through an affirmative action (“opt in”) by the data subject and that consent must be set apart from any other terms and conditions requiring acceptance.
A controller is an entity that decides the purpose and manner that personal data is used, or will be used. A processor is a person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data. Controllers and processors have different obligations under the GDPR and will have different levels of fines imposed. It is essential that you know which category, if either, you fall into as it will have consequences for your procedures and ultimately, your running costs. Edwards & Co. can provide advice on this specific point.
These agreements are entered into between controllers and processors. Typically, they contain contractual provisions to ensure the protection and security of data passed from the Data Controller to the Data Processor for processing. They ought to clearly set out what is expected of the parties (predominantly the processor) when carrying out the agreed piece of work. The obligations imposed by such agreements can be significant and therefore affect the cost of delivering your service. Edwards & Co. can advise you as to what is required by law and help you avoid unnecessarily onerous contractual obligations put in place by an overzealous data controller!
This requirement depends the size and type of your organisation and how it handles data. Edwards & Co. can review your circumstances and advise appropriately. However, there is an argument that all organisations should appoint a DPO to ensure best practice is being followed. The latter can play a significant role in your defence of a breach.
Such requests must now be completed within the shorter timeframe of 1 month.
There are different types of breaches depending on the type of data involved and the potential repercussions. If your organisation has suffered a notifiable breach it must report it to the ICO within 72 hours. It is illegal to wait for the data subject or some other interested person to do so. The ICO has previously indicated that it will look upon self-reporting as mitigation when considering the appropriate penalty to impose. With our GDPR training and advice our clients can ensure their data protection systems are sufficiently robust to allow them to be confident enough to self-report should the need arise.
The majority of data breaches occur because of human error. Staff training and the recording and monitoring of staff training will be a vital aspect of evidencing that your organisation is complying with the GDPR. With fines that can threaten the solvency of a business, employees must realise that their job security is dependent upon best practice being adhered to. On a personal level employees who engage in vexatious data breaches can be the subject of criminal prosecution.
The UK will still be part of the EU on 25th May 2018 and so the GDPR remains part of UK law. Brexit will make no difference to the enforcement of the GDPR until such times as the UK officially severs its ties with the EU. And even then it is envisaged that any relevant legislation going forward will be a near exact replica of the GDPR resulting in no great change on the ground for organisations operating in the UK.