Complying with GDPR is essential. Businesses that fail to properly manage the data they gather from those that use and engage with their services or products can find themselves in breach of data law. This can lead to hefty fines. Understanding the GDPR key changes is essential so that breaches are less likely to occur.
This blog aims to guide you through those changes. It will also explain GDPR and what can happen if you don’t follow the correct data protection procedures.
Scope of the GDPR
Before we look into the changes, let’s refresh our knowledge.
GDPR stands for General Data Protection Regulations. These regulations fall under the Data Protection Act (DPA). The Act came into force in May 2018. When the UK left the EU, it was no longer regulated by the EU’s General Data Protection Regulations (GDPR). As of 31 January 2020, the new UK GDPR came into effect. Any company that trades with UK citizens has to comply with the UK GDPR.
This regulation is not far off from EU General Data Protection Regulations in that it aims to protect the data rights of all UK citizens. This means that you, as well as your customers and clients, have a right to have your personal data collected, processed and stored fairly and securely.
Under both the UK GDPR and the EU GDPR, everyone has the right to:
- Be informed on how our data is being used
- Access our personal data
- Have incorrect data corrected
- Have personal data erased
- Stop/restrict organisations from processing our data
- Object to how our data is being processed
What Are the GDPR Key Changes?
UK GDPR may seem like a ‘copy and paste’ of EU GDPR because of its vast similarities. But there are some notable changes, mainly around how UK companies process the data subjects residing in the EU.
Legal Overlap
The main change is that UK businesses are only required to comply with the DPA and UK GDPR if they are only processing domestic personal data. If they process data and offer goods and services to EU residents, UK businesses must comply with the DPA, UK GDPR and EU GDPR. As the laws that apply to you overlap.
Appointing an EU Representative
Suppose you’re a UK business that processes the personal data of EU residents. In that case, you must appoint an EU representative in writing and identify a lead supervisory authority based in the EU. Any contracts governing EU-UK data transfers need to be updated, as do all data policies, procedures and related documents.
How Do I Know If GDPR Applies to My Organisation?
General Data Protection Regulations apply to all personal data that you process. This includes the personal data of your employees and suppliers too.
- Do you gather sensitive personal data from your customers/service users, such as their names, address and other personal data?
- Do you process this data by adding it to a database?
- Have you added their data to a mailing list to update them on new products and services?
It certainly applies to you if you have answered ‘yes’ to at least one of these questions.
You must comply with the regulations whether a small startup or a large, well-established company.
What Happens If I Don’t Comply With UK GDPR?
The Information Commissioner can issue a monetary penalty for infringing the provisions of Part 3 of the Data Protection Act – Law Enforcement Processing.
Penalties fall under two penalty structures, depending on the size of your income and the nature of the infringement.
The penalty structures are:
The Standard Maximum Penalty
The standard maximum applies if there’s ‘an infringement of other provisions, such as administrative requirements of the legislation.
The standard maximum amount is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The Higher Maximum Penalty
The higher maximum amount applies to any failure to comply with any data protection principles, any rights an individual may have under Part 3 of the Act or concerning any data transfers to third countries.
The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
Here are some examples of likely penalties for specific infringements:
- A fine of £8.7 million or up to 2% of global revenue for neglected records
- A fine of £8.7 million or up to 2% of global revenue for not declaring a data breach to both the data subject and the enforcing body
- A fine of £17.5 million or up to 4% of global revenue for violating consent conditions
- A fine of £17.5 million or up to 4% of global revenue for violating any of the basic principles of data protection
The Data Protection Officer
The scope of the GDPR highlights why a Data Protection Officer, or DPO, is required for larger companies under the regulations. A DPO is appointed to manage personal data. It’s their job to:
- Monitor data compliance
- Advise on the organisation’s data protection obligations
- Act as a point of contact for data subjects
- Liaise with the enforcing body
Breaches of the GDPR take up time and resources. Both of which are additional costs to a business. Consider the time and effort needed to gather information for a court case. The employees will also be removed from their daily tasks because of a breach. The possible need to get in extra resources.
Knowing how not to fall foul of the law is the best strategy.
Improve Your GDPR Knowledge with a Comprehensive Course
The GDPR can seem complicated, but with awareness and understanding, you will find that it’s not so mind-boggling. Set aside time to increase your knowledge of data protection with our GDPR Training course. You will learn about the seven key principles of GDPR, gain awareness of what personal data is and, most importantly, how to protect it.
About the author(s)
Beverly Coleman