| UK & Europe | News coverage
New EU data protection regime GDPR kicks in
The European Union’s General Data Protection Regulation (GDPR) came into effect on Friday, introducing measures designed to give citizens more control of their personal information and also help small businesses reduce costs and red tape.
The Regulation updates the principles of the 1995 Data Protection Directive to guarantee privacy rights, and seeks to strengthen citizens’ rights, with rules such as a ‘right to be forgotten’, which allows for the deletion of an individual’s information, and clauses that give individuals more information about how their data is processed.
A key aspect is the protection of personal data in cyberattacks, which are becoming increasingly familiar in the banking sector.
Under the new law, data controllers will have to inform people about data breaches ‘without undue delay’ and will also have to notify the national supervisory authority of data breaches.
A ‘right to data portability’ will also make it easier for individuals to transmit personal data between service providers, the EU said.
For firms, the legislation seeks to slash red tape, becoming ‘one law for one continent’, and replacing the ‘inconsistent patchwork of national laws.’
It also seeks to make data management for small businesses easier, stating that small to medium-sized enterprises do not need to appoint a data protection officer, unless their core activities require regular and systematic monitoring of the data subjects on a large scale.
Businesses failing to adhere to the new rules face hefty penalties of up to €20 million or 4% of worldwide annual turnover.
Each case, however, will be ‘carefully’ considered when it comes to issuing a penalty, the EU said, and issues such as the duration of the violation, the number of data subjects affected and level of damage suffered by them, will be taken into consideration.
There have been various issues and concerns raised about GDPR.
London-based Umar Mohamad, a consultant at Bovill, said:
“The main thing is that you have a fine, a quantum leap, compared to what is currently in place. Senior managers need to understand that it’s not only the fine but also the associated reputational damage.
The current maximum penalty is £500,000, but under GDPR it could be as high as 20 million euros or 4% of global turnover (whichever is higher). There are, however, a number of mitigating circumstances to be considered before a penalty is issued and it is unlikely we’ll see a fine of 4% global turnover issued.
The Information Commissioner’s Office (ICO) see fining a firm as a last resort. The ICO have published a lot of useful guidance for firms to reach compliance. There are lots of policies and procedures that need to be drafted, and a lot of actions are required to show that you are compliant with the GDPR.”
May 25, 2018 Irene Madongo
Source: KYC360
Copyright © KYC360 2018. All rights reserved.
