Extension of territorial reachThe regulations extend to data controllers and processors beyond the EU whose activities relate to the “offering of goods and services” to EU data subjects or “monitoring” of EU data subjects. If your website is merely accessible to EU citizens but not aimed at them, then it is less likely you will be caught by the regulations. However if your website uses the same language or currency of one or more member states and/or allows goods/services to be ordered by EU citizens then its more than likely a company based outside the EU will be subject to the regulations. “Monitoring” will cover any form of tracking of individuals e.g. techniques for behavioural targeting.
Accountability and privacy by designThe regulations impose onerous obligations on businesses to demonstrate they are compliant. For example, where a business “controls” the data use, they will be required to: (a) maintain certain documentation; (b) engage in a data protection assessment for certain high risk processing and (c) implement ‘data protection by design’ and by default e.g. to minimise the data captured.
Read more on data:
- Barclays encourages UK SMEs to use big data for growth with new online service
- Companies that safeguard data privacy will reap rewards
- Security of personal data – are you complying with your obligations?
Notification of a data breachCurrently there is as a general rule no absolute requirement on companies to notify Information Commissioner of a breach of the Data Protection Act. The regulations change this. As from 2018, any breach or suspect breach must be notified to the DP Authority without undue delay and where possible within 72 hours of awareness.
FinesPresently, the maximum fine that the UK Information Commissioner can impose for DP breaches is £500,000. The regulations dramatically increase the sanctions available with DP Authorities able to impose up a fine equivalent to four per cent of a companies’ annual worldwide turnover for a breach.
No more notification requirementsIts not all doom and gloom for businesses. One welcome change is the removal of the requirement to notify or register (and pay a fee) with the DP Authority. The onus is now on the individual company to self-police. Read on to find out what your company should be doing now to prepare.
Share this story