WHAT HAPPENS IF I DON’T COMPLY WITH GDPR?

Can I ignore GDPR and carry on regardless?

WHY GDPR IS A GOOD THING

GDPR is a good thing. We’re all ‘individuals’, all people, all consumers. And we all deserve the respect and consideration that proper data privacy represents. The GDPR brings the old Data Protection Act bang up to date, taking our modern digital world into account. As individuals we have a great deal more choice about what data companies keep about us, how and where they keep it, for how long, and what they do with it.

WHO IS RESPONSIBLE FOR THE DATA I COLLECT?

A Data Controller decides how and why personal data is processed. A Data Processor does the work. As a Data Processor, you’ll have more responsibilities, with specific laws to follow and more legal liability around record keeping and evidence. As a controller, the GDPR puts even more pressure on you to make sure the people who process your data comply.

WHAT SORT OF PUNISHMENT IS LIKELY?

The financial penalties for non-compliance are higher than for the old Data Protection Act. There’s an upper limit of €20 million or 4% of your annual global turnover, whichever is greater. The authorities can also:

  • Issue warnings
  • Carry out audits
  • Demand that you fix things within a strict deadline
  • Demand you erase data
  • Stop data transfers to other countries
  • Apply these powers to data controllers and processors and data processors

HOW DO I MAKE SURE OUR IT SYSTEMS COMPLY?

The more complex your system is, the more you might have to do to make sure it supports every aspect of business-wide compliance. Your first step is to start thinking about GDPR now, to give your company the time needed to get ready. Unless you are 100% confident you can handle it in-house, your second step is to find someone you can trust to give your IT an overhaul.

EXCELLENT GDPR RESOURCES

Here are some detailed plain language posts about the GDPR:

ABOUT DATA PROTECTION OFFICERS – FAQ

You must be able to prove clear, affirmative consent to process people’s data.
Businesses collecting data must ask permission using plain, simple language when asking for consent to collect personal data, and be entirely clear about how it’ll be employed. Individuals must give active consent, and an opt-out tick box is no longer good enough.
Probably not. Most of the current mechanisms just aren’t robust enough.
A DPO is mandatory for some types of organisations, including public authorities. The same goes if your business carries out ‘regular and systematic’ large scale data monitoring, or processes large amounts of data under various data categories. In short, if you depend on processing personal data, you’ll have to appoint a DPO.
Today plenty of companies with fewer than ten employees process vast amounts of personal data, which means they come under the new law even though they’re small businesses. The GDPR doesn’t look at the number of employees, but at what they do with the personal information they collect, keep and process.
A DPO acts as an extension of the data protection authority, tasked with making sure personal data processes, activities and systems conform to the law.