Reply to: GDPR - what will happen?

GDPR

And that is only the beginning....
Good space to be in.......

Yes, its a law that will come into force, what I meant was that you do not need to make submission to the ICO on your level of compliance nor do the ICO have the man power to check this.

These are the maximum fines and are all criteria based depending on the size and type of data breach.

Liability is also being extended from the current Data Custodians to the current Data Processors as well. Currently organisations that process data on behalf of the custodians of that data are not subject to enforcement under DPA. That will change with GDPR.

Fines are potentially up to 4% of Global turnover.

Suddenly getting emails from recruitment agencies tasking to give permission for keeping my personal data. Refusing them all.

FTFY

Resistance is useless!

There will be enforcement, and it will be easier to enforce GDPR regulations than it was for the DPA 1998, e.g:
- data subjects no longer have to prove that there was a data breach, they just have to show that some harm was done. So the 'bar' will be lower;
- companies must make data subject's consent to opt out more explicit (so, no more odd-looking tick boxes or double negatives that trick you into accepting marketing material or having your PII sold). Burden of proof shifts from data subject to the organisation;
- data breaches used to incur a £500K fine. Now the fine will be 2-5% of annual turnover;
- subject access requests no longer incur a fee, and data can be extracted and sent electronically. Data subjects will no longer have to ponce about paying cheques and waiting loads of time for redacted bits of paper to arrive in the post;
- nature of personal data now extended to include online identifiers like IP addresses and cookies - companies will no longer be able to claim these aren't within the meaning of PII;
- it's an EU-wider regulation (unlike DPA), so harder for companies to hide in different jurisdictions;

There's more, but the above gives a good flavour. So yes, it'll be easier for the ICO to enforce. Ignorance will be no excuse!

GDPR fines are a lot bigger than current DPA fines.

Some small businesses and charities will get fined slightly more than before by the ICO, and the big players will carry on getting away with it - aka business as usual.

There is a lot of scaremongering in the industry. There will be no enforcement as such, its a law change and companies are expected to comply with it, its usually when the proverbial hits the fan that these things comes to light. Those fines are based on a number of conditions, the type of data leaked (personal data or sensitive personal data), the amount of records leaked, lack of compliance with the law itself and current state of security controls in place. These are some of the contributing factors that will determine the fine by the ICO, or local authority, not to mention other possible regulatory fines (depending on your industry) and also litigation from other sources, customers etc.

Lots of companies will not comply with the law change come May, what will happen? Nothing, as long as you don't get breached, one thing is for certain, some companies will make the headlines and examples will be made of such companies if they have a flagrant disregard for the protection of data

Post May, breaches will continue to happen as the threat landscape continues to evolve, all you can do is try and stay ahead of the game.

We’re good to go on it here in Dublin. Slept through a meeting about it only ladt week...

I ve been wondering myself - None of the big banks seem ready so what normally happens is they extend the date for compliance

Its a hefty fine from memory - I wonder what will happen

WHS

You do need to re-ask for marketing permission and by what channel - once gdpr drops if you do not have that you cannot contact people as you are not supposed to be retaining their PII.

Watch out for non technical storage for those of you who like to keep paper copies of everything.

A number of the high profile PII leaks have been down to 2 simple reasons
1) Absolutely woeful data security.
2) Deliberate sales of PII to generate revenue

I think the biggest battle companies will face will be between data managers whose job it is to safeguard the data and marketing managers who be under pressure to find new and exciting ways to market to people without breaking GDPR.

Check out the ICO's guide here : https://iconewsblog.org.uk/2017/09/0...ach-reporting/

Long and the short of it, those who have been adhering to the Data Protection Act thus far will probably only need some tweaks to policy and procedure. Those that have not will have quite a bit of work to do, one would imagine.