GDPR -The New Millennium Bug?

I was recently told, after running through the offerings of Regency to a colleague on my client’s site, “Oh, you offer GDPR? Isn’t that just making shed loads of money like all the new computer consultancy companies did in 1999, leading up to the biggest fraud of the century, selling patches for the ‘didn’t happen’ Millennium Bug?”

To be honest, I was pretty shocked by that statement, one given who it was said by, and two, the fact that unlike the Millennium Bug, GDPR is known to be coming. It’s not a ‘something that may happen,’ it’s not ‘something made up’ it’s real, it’s happening and it’s happening soon. 

GDPR, or to give it its full name “General Data Protection Regulation’ comes into law on 25th May 2018. That’s ages away isn’t it, more than six months, almost ten months, you’ve got loads of time to be ready, haven’t you? To be ready for whatever it is? GDPR is a monumental shift in data protection, it’s off the Richter Scale. In fact, it’s so monumental, there are numerous countdown clocks on the internet, inexorably counting down the seconds, the minutes, the hours, the days until this becomes law. You can find one here . (http://www.gdprcountdownclock.com/) Oh by the way, BREXIT isn’t going to mean we in the UK don’t have to comply, I’m pretty sure it’s in the ‘Great Repeal Bill’ which will transfer many EU laws into UK law when BREXIT happens.

This short article is not going to list everything that GDPR will oblige any, and every, organisation that holds personal data, to comply with, but here’s just a few bullet points on what GDPR means and the difference between it and the DPA.

  • GDPR applies to the individuals holding the data (the controller and processor in DPA (Data Protection Act) terms).
  • If you must comply with the DPA, then you will more than likely have to comply with GDPR
  • It applies solely to organisation operating in the EU (but as I said, BREXIT will not affect the UKs compliance).
  • GDPR applies to Personal Data (HR records, personal contact details etc) together with ‘sensitive personal data’ such as medical records, genetic data etc.

The differences?

  • DPA only applies to the UK. GDPR applies to the EU and to any global company who hold data on EU citizens
  • DPA is enforced in the UK by the ICS (information Commissioners Officer). GDPR will be enforced by a supervisory agency here in the UK and in every EU country.
  • Should you breach the DPA fines can be as high as £500,000 or 1% of your annual turnover. Breach GDPR, then fines could be as high as E20,000,000 or 4% of annual turnover.
  • Under the DPA, you don’t need a DPO (Data Protection Officer), for organisations with 250 plus staff, within the GDPR you do.
  • You don’t need to report data breaches under the DPA, you most certainly do within GDPR
  • You don’t need to delete data under the DPA, you most certainly do in GDPR. Any person has the right within GDPR to request to be ‘forgotten’ to have all of their data removed, from everywhere.
  • PIAs (Privacy Impact Assessments) are not mandatory under DPA, though the ICO has long recommended them; GDPR, they are mandatory.

You can see that GDPR differs greatly from the DPA. There are far more mandated regulations and primarily, it’s accountability that is absolutely key; businesses and organisations must be able to demonstrate that they are compliant with GDPR. There are some ways of showing that, mandated within GDPR such as training, audits, internal HR reviews etc.

GDPR the new Millennium Bug?  I don’t think so. As somebody who was sent home for Christmas leave in 1999 with a pager (remember them) and the instructions “if it hasn’t gone off by 0005 1st January 2000, then Happy New Year, you can have a drink” I’m pretty certain the sun is going to rise on 25 May 2018.

However, I’m no expert on GDPR, but we do have somebody in Regency who is, our Data Protection Officer. If you are from an organisation who processes or holds personal data, however small your organisation is, and you would like a more comprehensive conversation with Regency’s DPO on the subject of GDPR and what it will mean for you, then call our office on 01242 225699 or email us at enquiries@regencyitc.co.uk