by Dave Fuller
Estimated Reading Time: 3 minutes
UK data protection regulations and data privacy laws are about to get tougher in 2016 as negotiations are coming to a close in Brussels around the new Data Protection laws to replace the Data Protection Act 1998.
This new law is called the General Data Protection Regulations (GDPR) and is a priority for online commercial businesses within the EU.
Despite having various data protection regulations across the continent, the EU doesn’t currently follow a common set of rules. This has caused uncertainty and confusion as data is shared across borders, causing uncertainty and is seen as a barrier to expanding and growing a business.
Data Protection Principles
The key 8 principles of Data Protection (as documented on the Information Commissioner’s Office website) are as follows. Personal data must:
- Be processed fairly and lawfully
- Be obtained for lawful reasons.
- Be adequate, relevant and not excessive for the purpose for which they are processed
- Be accurate and kept up-to-date
- Not be kept for longer than is necessary
- Be processed in accordance with the rights of the data subject
- Protected against unauthorised or unlawful processing and against accidental loss or destruction by use of appropriate technical and organisational measures
- Not be transferred to a non-EU member state unless that country ensures adequate levels of protection for the rights and freedoms of data subjects
The bottom line is you can’t just go ahead and purchase vast quantities of personal data unless you can prove that you have adhered to the above principles.
Implications for an EU Business
In the future, clients will have the ‘right to be forgotten and erased’. This includes the client withdrawing consent or objecting to the data being processed in addition to non-compliance to the 8 founding Data Protection principles.
Not only will you need to permanently delete data on request but you will also need to provide proof of this happening, including the physical destruction of equipment, including the evidence of that happening.
You will need adequate provisions to prevent an attack or errors that may compromise data. This could include malware attacks, Denial of Service (DoS) attacks, data leakages and corruption of data. Tougher regulations also require that clients be notified of a data breach within 72 hours.
This standardisation of data protection should result in increased confidence that data can be held within other EU member states without fear of increased risk to data security, and arguably removing some barriers to expansion and business growth.
The penalties for non-compliance are high, but are subject to final agreement. A fine of up to €100 million or 5% of global annual turnover (whichever is greater) has been widely debated, more likely is the suggestion of a 2% fine of global turnover which may be the ultimate agreement.
Compliance with these regulations will affect internal data, external websites and cloud-based systems. Whilst Accent may only have control over a small proportion of your data and networks, we will endeavour to keep abreast of changes in regulations, so that we can offer advice on best practice where possible. Feel free to contact us if you require further advice on how this legislative change may affect your business.
Armed with a BA Hons Arts Degrees and decades of experience as a Web Developer, Dave manages all aspects of Web Design and Software Development at Accent and is also our technical guru.