Today we are standing on the beach, those that look will observe the dark spectre of a tsunami approaching far on the horizon, it is coming in, first we need to accept it is heading to our shores, then we need to accept we can’t change its scale or course, but what we can do is start preparing business for its arrival.
The warning shot was the “EU Cookie’ law, an EU wide law that no EU citizen actually cares about, but nether-the-less nearly all major UK websites have annoying pop-up cookie banners in order to comply with it. The new EU regulations has some serious teeth by the way of huge financial penalties for any non-compliance with any of requirements, this makes the EU Cookie Law look like a drop in the ocean. Many of the legal requirements go beyond just the protection of personal data, here are a few bullet points of the rough ride in store for UK business in the data protection space in 2018.
- Regulation Not Directive - This means the requirements are not open to any interpretation by member states (as current DPA laws are) as they pass it into local country laws; as the requirements are written so they shall be done
- Data Breach Disclosure - All personal data breaches are required to be reported and so publicly disclosed, likely to be within a 48 hours of them occurring. Also applies to data processors, no more hiding behind data controllers for them. Presently only public sector organisations in the UK have to report personal data breaches to the ICO.
- Major Fines for Non-Compliance - Fines of up to 5% of global annual turnover is enough to rock any boardroom with concern.
- Data Processor liability - A Data Processor will be on equal par to a Data Controller. This will be a major concern to cloud service providers.
- The Right to be Forgotten - Businesses must abide by data subject (EU citizens) requests to erase their personal data.
- The Right of Portability - Businesses must be able to provide any held personal data in a format which lends itself to moving/sharing with other organisations upon the request of the data subject.
- Data Protection Officer - Most UK businesses will be required to appoint a Data Protection Officer
- Applies to Non-EEC business processing EU Citizen Data - Even if the UK opt of the EU, UK business which touch European Citizen personal information will still need to comply with the EU regulations. Also means US companies that process EU citizen data must comply as well, no matter where their data centres are, bad news for hte likes of Facebook, Microsoft, Apple and Google.