What is it?
The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook and Google swap access to people’s data for use of their services. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
The GDPR will apply in all EU member states from 25 May 2018.
So who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
What happens if we have a security breach?
But even before you call the data protection authority, you should tell the people affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
If you take recently issued fines issued by the ICO, which has a maximum penalty of £500,000, and scale them up under GDPR, you can see how much tougher the penalties for getting data protection wrong will soon become.
So under GDPR, TalkTalk’s record £400,000 fine would actually total £59 million – that’s a pretty big chunk of the telco’s third quarter 2016 revenue, which was £435 million. Meanwhile, the ICO’s total issued fines for 2016, which amounted to £880,500, would become £69 million from 25 May 2018, according to risk mitigation firm NCC Group – 79 times higher.
Okay, what other fines are there for failing to obey the GDPR?
Well, if you don’t follow the basic principles for processing data, such as consent, ignore individuals’ rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.