The General Data Protection Regulation (GDPR) came into force on 25.05.2018 and with it many changes from the previous Data Protection Act (DPA).
For businesses and organisations already complying with previous data protection laws, the new regulation is only a “step change”. If you were previously subject to the DPA, it is likely that you are also subject to the GDPR.
Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data must be reported to those affected and the Information Commissioners Office (ICO) within 72 hours of discovery.
Can Insurance Cover be Arranged?
Yes, please complete the form below for details of our Cyber/GDPR data breach insurance solution
What is meant by “data”?
Both personal data and sensitive personal data are covered by GDPR.
Personal data, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address, etc
Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation and more.
These definitions are largely the same as those within current DPA, but where GDPR differs is that pseudonymised personal data can fall under the law – if it’s possible that a person could be identified by a pseudonym.
What organisations are covered by the GDPR?
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
For companies with more than 250 employees, there is a requirement to have documentation supporting why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
For companies with less than 250 employees, those that have “regular and systematic monitoring” of individuals at a large scale, or process a lot of sensitive personal data, must employ a data protection officer (DPO). This may mean having to hire somebody specifically to fit this new role or incorporating the responsibilities within an existing role. However, the person must report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.
What do we need to do to achieve compliance?
The Information Commissioners Office (ICO) has put together a 12-point action plan.
Ignoring or getting it wrong could be costly: infringement can bring fines of up to 4% of annual global revenue and damage corporate reputation