New data protection regulations come into force on 25th May 2018 affecting every organisation that offers products or services to EU citizens, as well as those handling data of EU citizens.
The new General Data Protection Regulation (GDPR) requires organisations to adhere to a strict set of data privacy and security measures including:
- Implicit consent with an onus on organisations to demonstrate that consent has been given – no more small print tucked away or pre-ticked boxes,
- Data security breaches reported within 24 hours,
- Appointment of a Data Protection Officer with access to the Board / senior management team,
- Subject Access Request response period reduced to 30 days and £10 fee abolished,
- Right to be forgotten.
It will be enforced in the UK by the ICO with fines for infringement of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher. To put this in context, TalkTalk’s recent data breaches could, under the new regime, result in fines of up to £72 million.
Research by Compuware Corporation shows that the majority of businesses surveyed were not yet ready with a plan to respond to GDPR.