General Data Protection Regulation (GDPR)

GDPR What is it? GDPR replaces the Data Protection Act 1998, and comes in to force on 25th May 2018. Approved by EU Parliament 14 April 2016, it will apply here regardless of Brexit and the Great Repeal Bill It is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” The regulation applies to personal data by automated AND non-automated means. There are two categories of personal data: • Sensitive (including data about health, beliefs, sex life etc) • Ordinary (everything else, with financial data as a special case)

GDPR What do organisations holding personal data need to do? Carry out a data audit Revisit your consents Review Fair Processing Notices (FPN) and Privacy Policies Set a Data Retention Policy Audit contracts Train staff Write Privacy Impact Assessments Set policies and procedures to deal with enhanced rights to individuals

GDPR What will happen if personal data is lost? Notification of breaches will be compulsory. The ICO must be notified of breaches within 72 hours of awareness being gained, and each individual must be notified that there is a high risk to their rights and freedoms. Reportable data breaches include: • Wrong letter in a wrong envelope • Laptop left on a train • Personal data in a picture • cc instead of a Bcc

Remember: GDPR comes in to force on 25th May 2018 What are the consequences for non-compliance? The cost of a breach could be up to €10m or up to 2% of global turnover, whichever is higher. Talk Talk’s breach cost £400k under DP act – it could have been £70M under the GDPR… Remember: GDPR comes in to force on 25th May 2018