Get ready for changes to data protection laws

April 13, 2017 - 9:00am

Get ready for changes to data protection laws

This year has marked one of the largest legal movements in data protection history – the formal adoption of the EU General Data Protection Regulations (GDPR).

Due to come into effect on 25th May 2018, the countdown for organisations to get their data protection policies in place is well underway.

Ken Parker, Compliance Director at ICT Reverse outlines the key changes and how it may affect businesses.

In an increasingly growing digital economy, it is more important than ever to have clear laws with safeguards in place to protect personal data.

Essentially, the GDPR will increase privacy for individuals and give regulatory authorities greater powers to take action against business that breach the law.

Despite Brexit, the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. The legislation will be UK law. Any business in the UK which handles data of EU citizens will be affected regardless.

The new data protection laws will affect all organisations that hold or use personal data are responsible for keeping it secure. If you are currently subject to the Data Protection Act, it is likely that you will also be subject to the GDPR. The GDPR applies to both data ‘Controllers’ and ‘Processors’.

When the GDPR comes into force, it will entirely replace the current Data Protection Act 1998 and radically overhaul many of the existing data protection rules.

Key changes
1. The definition of personal data is much broader and includes identifiers such as genetic, mental, cultural, economic and social identity.
2. The regulation applies to non EU companies that process personal data of EU citizens.
3. Obtaining consent for processing personal data must be clear and must seek an affirmative response.
4. Data subjects have the right to be forgotten and erased from records.
5. Parental consent is required for the processing of personal data of children under age 16.
6. Users may request a copy of personal data in a portable format.
7. The appointment of a Data Protection Officer (DPO) will be mandatory for companies processing high volumes of personal data & good practice for others.
8. Data Controllers must report a data breach no later than 72 hours after becoming aware of the breach.
9. Data Controllers must ensure adequate contracts are in place to govern data processors.
10. Data Controllers must have a legal basis for processing and collecting personal data.
11. ISO27001 and other certifications will help demonstrate ‘adequate technical and organisational measures’ to protect personal data and systems.
12. Privacy risk impact assessments will be required for projects where privacy risks are high.
13. Products, systems and processes must consider privacy by design concepts during development.
14. Data Processors can be held directly liable for the security of personal data.
15. International companies will only have to deal with one supervisory data protection authority.

Now onto the important topic of penalties. If businesses do not comply with the new GDPR, they can be fined up to 4% of their annual turnover or 20million Euros (whichever is higher). Fines of this scale could very easily lead to business insolvency and, in some cases, closure.

ICT Reverse is one of the UK’s leading data disposal companies for PC’s, smart phones, laptops, data tapes, hard drives and all data bearing devices. They can help your business adequately prepare for the EU GDPR. Their specialist and experienced data privacy team are available to assist you and provide you with the necessary certificates to demonstrate that your company complies with the regulation when disposing of data.

• Tel: 01524 580900
• Email: