What is GDPR and why is it so important?
The GDPR applies to organisations or bodies that control or process data on people in the EU regardless of where the processing takes place. The GDPR applies only to personal data in the same way that the DPA does. However, the GDPR’s definitions are more detailed and it introduces new categories of data. However, if companies hold personal information about someone in the EU, they can assume that it falls within the GDPR as it applies equally to both automated personal data, and manual filing systems.
Data subjects have more rights under the GDPR and companies need to take particular care not to breach these rights. There are stiffer consequences including fines and compensation should companies do so. The level of the fines is determined in the UK by the Information Commissioners Office (ICO) and can be up to €20million or 4% of group turnover, whichever is the greater. There is also a lower level of fines for less serious breaches of data subject’s rights. The level of these fines will depend on the nature and impact on the data subject. There are therefore significant business risks to consider.
In addition, there are other operational impacts of breaching the rights of data subjects. These include:
• Operational costs to put right the issues caused
• Reputational and brand damage
• Orders to stop processing data
• Criminal convictions
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
Companies are expected to put into place comprehensive, but proportionate, governance measures. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. In practice, this will mean more policies and procedures for companies, although many companies will already have good governance measures in place, and the process will be to review them and update them as necessary.
