PRINT
IT
RESELLER.UK
GDPR
33
Follow us
Brands of Office Papers
T P
For more information or samples contact your local branch
or email marketing
@
paper.co.uk
Navigator Discovery vert ad 1-17 26/01/2017 19:39 Page 1
personal data, the Data Controller (the organisation that collects a person’s
data) must report the breach to the supervisory authority in the member
state where the company’s main activity resides.
The supervisory authority is a newly formed administrative body that
will be founded in each member state to manage the data protection of
that country’s citizens. The breach must be reported within 72 hours, and if
it’s late then reasons should be provided.
The data subject must also be informed straight away. Interestingly, if
the data has been manipulated, for example if the data is unrecognisable
and will not be traceable back to the data subject, then the data subject
doesn’t have to be informed, but the breach still has to be reported to the
relevant supervisory authority.
Q:
What will happen if I’m found to be uncompliant?
A
:
Remarkably steep fines. The new sanctions that can be imposed on
uncompliant businesses include:
n
A written warning in instances of first and non-intentional non-
compliance
n
Regular and thorough data protection audits
n
Most repeat breaches will result in fine up to
€
10,000,000 or up to 2%
of annual worldwide turnover, whichever is greater
n
Breaches that the European Court has deemed more serious, for
example breaches in consent or international data transfers, would result
in a fine up to
€
20,000,000 or up to 4% of annual worldwide turnover,
whichever is greater.
So it really is in a business’ interest to be prepared for the 25 May 2018.
Q:
What should I be doing now?
A
:
Raising awareness. The deadline for GDPR is ever approaching, so
your first action should be to raise awareness of GDPR internally, making
sure that your employees fully understand what and how a data breach
can happen, and the fines that could occur. You should also make a
comprehensive document of what data you hold, how it is gathered and
how it is stored.
An important aspect of GDPR is consent, so reviewing how you are
obtaining and recording consent from individuals should be a priority,
discussing whether any changes need to be made. Consent from minors is
also important here, you should start thinking about verifying the age of
individuals and whether you need to get consent from a parent or guardian
for the processing of the minor’s data.
You should also ensure that you have the right procedures in place to
detect, report and investigate personal data breaches. GDPR now states
that all businesses should appoint a data protection officer within their
organisation to take responsibility for data protection compliance. If a
business works internationally, then these companies should determine
which supervisory authority they will be operating under.
