Our Head of Security, Thomas Owen, discusses the data protection landscape in advance of Data Protection Day on January 28th 2017.
With just 16 months left to become compliant with the General Data Protection Regulation (GDPR), organisations should be in the full swing of making sure their systems and processes will comply by May next year.
Despite Brexit, the ICO still intend to implement the GDPR due to it coming into force prior to any exit from the EU taking place. Equally, many UK businesses have EU operations outside or trade in the EU and the UK is likely to retain GDPR strength laws post Brexit to ensure that UK businesses can easily receive data from the EU.
Therefore, regardless of whether your business is in the EU, you will still need to comply with the Regulation if you handle personal data of EU residents, so make sure you are aware of the changes.
Consistency across the EU is one of the key drivers of the GDPR, and the Article 29 Working Party is leading the way developing guidelines on some of the key aspects of the law.
Some key changes to be made include:
- The renewed definition of "personal data" which is now broader and set to include factors such as an individuals's mental economic, cultural and social identity
- The need for clear, affirmative consent to the processing of personal data and the need for consent when processing children's data
- The need for a mandatory data protection officer (DPO) for some companies
- The performance of a data protection impact assessment before undertaking higher-risk data processing activities
- A time scale of 72 hours to report a data breach
The types of data breach included in the GDPR are:
- Confidentiality breach - unauthorised disclosure of, or access to, personal data
- Availability breach - the accidental or unlawful destruction or loss of personal data
A further change under the GDPR is that consumers will have the right to transfer their data from one company to another, with it being incumbent on the data processor to enable the portability of all a consumer's information to the new service provider in a compatible format.