Did you know that a new EU data protection framework was adopted in April 2016? Called the General Data Protection Regulation (GDPR), it replaces the current Data Protection Act. It will come into force on 25 May 2018. It will have an immediate impact on all businesses that control or process data. If you work for an organisation currently covered by the Data Protection Act you must prepare for the change. Is it time that you updated your data protection training?
Why do we need a new framework?
Originally introduced in 1998, the Data Protection Act protects individuals’ personal information and makes sure it isn’t misused. Now the EU wants to standardise data protection laws across its member countries, eliminating inconsistencies. It also wants to give people more control over how their data is used.
GDPR brings data protection legislation into line with new, previously unforeseen uses of data. For example, the growth of the internet and cloud technology has created new ways to exploit data since the original Act came into force almost 20 years ago.
What is changing?
Quite a lot! The new regulations represent substantial changes to the way businesses must handle data. In summary, the changes are as follows:
- The GDPR has expanded the definition of personal data. It now means any data that could identify an individual, including IP addresses, user IDs and location data.
- There is the ‘right to be erased’. Organisations must delete any data at the request of the data subject. Data owners can face heavy fines if they fail to act accordingly.
- The GDPR also applies to all businesses who operate within the EU, track or monitor EU residents, or offer goods or services to EU residents – even those based elsewhere.
- Organisations collecting personal data must be able to provide clear consent to process that data.
- Public authorities processing personal information must appoint a data protection officer (DPO).
- Data controllers must conduct PIAs (privacy impact assessments) to minimise risks to data subjects.
- The GDPR introduces the data minimisation principle. This requires organisations not to hold data for any longer than necessary, and not to change the use of the data from the purpose for which it was originally collected.
- The GDPR extends liability to all organisations that deal with personal data, not only data controllers.
- All software must be capable of completely erasing data.
What are the consequences of failing to comply?
The consequences for failing to look after data properly can be drastic. Any company that falls victim to a data breach will face a fine of up to €20 million or 4% of their annual global turnover. By comparison, the current maximum penalty is just £500,000. You could also face criminal proceedings, seizure of personal data and civil action.
Alongside that there is the reputational damage that a company could face – something that could take far longer to put right than a simple fine. There are many cases that have hit the headlines in recent years that highlight this, such as the data breaches encountered by TalkTalk, Wonga and Three.
How can GLAD help?
With organisations processing ever-increasing amounts of personal data and the rise of identity theft, it’s never been more important for employees to know how to protect data.
At GLAD we’re experts at creating bespoke elearning that perfectly suits your needs. We can create data protection training to ensure that you and your employees are fully compliant with the GDPR.
Our elearning is engaging, relevant and user-friendly. We use scenarios and case studies to bring content to life, and test learners’ knowledge with challenging assessments. This ensures that once your staff have completed their data protection training they are fully aware of how to deal with these situations in the real world.
The UK’s decision to leave the EU will not affect the commencement of the GDPR. However, with Brexit pencilled in for 2019, your data protection training may need updating again. It’s worth noting, then, that at GLAD we offer free minor amendments for 6 months after your go live date.