GDPR is here !
Can you demonstrate that you comply?
Copyright 2016 | Privacy Notice
When Did the New Law Come into Force?
The General Data Protection Regulations (GDPR ) and the Data Protection
Act 2018 are now law. They came into force on 25 May 2018 and compliance
is being enforced by the Information Commissioner's Office.
Will Brexit Make Any Difference?
The short answer is no. The GDPR will continue to apply to the UK even after Brexit.
Why Do I Need to Worry About Data Protection?
The GDPR applies to most organisations in the EU. It also applies to organisations outside the EU, if they offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. For example, companies outside the EU that carry out profiling or on line tracking of individuals in the EU will need to comply with the GDPR.
Who Regulates Data Protection?
The Information Commissioner's Office regulates data protection compliance in the UK. If they receive a complaint about your business, they will carry out an investigation and may direct you to take action to rectify any areas of concern and/or impose a hefty penalty. They will also publish information about their findings on their website which could damage your reputation.
How Much Training is Required?
Training in data protection needs to be provided to everyone that processes personal data to ensure that they are clear about their responsibilities and understand what they can and cannot do when processing personal data. Annual refresher training should also be carried out.
How Do I Know if my Organisation is Compliant?
If you are unsure if your organisation is data protection compliant we can assist by providing a review of your systems and procedures or conducting a full data protection audit in order to identify any areas which need attention.
What is the Maximum Penalty for Non-compliance?
Under the GDPR, there is a two tier system for fines. The maximum penalty under the first tier is €10 million or 2% of global turnover, whichever is the greater. The maximum penalty under the second tier is €20 million or 4% of global turnover, whichever is the greater.
The first tier is used when organisations do not adhere to their responsibilities under the GDPR, including (amongst other things) failing to implement appropriate technical and organisational measures to safeguard personal data, failing to introduce data protection policies and procedures, failing to enter into GDPR compliant contracts, failing to appoint a Data Protection Officer (if required), failing to carry out Data Protection Impact Assessments (if required) or failing to report a personal data breach (if required).
The second tier is used if organisations do not comply with the Data Protection Principles, do not have a legal basis for processing personal information, do not obtain valid consent, do not respond appropriately when an individual wishes to exercise their rights under the GDPR or they unlawfully transfer personal data outside the EU.
The information on this website should not be treated as legal or other advice and South Coast Data Protection Consultants Ltd will not be liable in contract, tort or otherwise if you rely on the information without seeking professional advice.