It’s unlikely that you’re unaware of the General Data Protection Regulation (GDPR), which comes into force in May this year. It all feels rather closer now 2017 has been replaced by 2018.
We’ve published a GDPR section on our website to help you understand the new legislation and to make sure that your print network and solutions are fit for purpose. We’d also encourage you to contact our experts who are waiting to offer advice on printing under GDPR, and to help you prepare for the new legislation.
Here, we’ve put together eight key differences between the old Data Protection Act (DPA) and the General Data Protection Regulation (GDPR), which replaces it. These eight points don’t cover everything you need to know, but together with your existing DPA-compliance they serve as useful starting statements to think about as you develop your plans for data handling and processing in the future.
- Reach: GDPR applies wherever you are in the EU (and it will still apply regardless of Brexit), and includes data controllers and processors anywhere else in the world that hold data about EU citizens. The DPA currently extends only across the UK.
- Consequences of non-compliance: Penalties increase under GDPR to potential fines of 20 million Euros or 4% of annual global turnover. This is a substantial rise on the DPA which had a maximum fine of £500,000 or 1% of turnover.
- Data Protection Officers (DPO): Are you a public body? Does your business carry out any kind of large scale data monitoring or processing? Do you have more than 250 employees? Even if not you may prefer to appoint a DPO to act as a focal point for your GDPR planning and monitoring. This builds on the current DPA legislation.
- Data breaches: It will be absolutely essential for applicable data breaches to be reported to the Supervisory Authority (ie the ICO) within 72 hours. Under DPA there is strong encouragement to report breaches, but this has been significantly strengthened under GDPR.
- Rights to erasure and portability: Individuals have the right to be forgotten under GDPR – in other words they have the right to have their personal data deleted from your records under many circumstances. Individuals also have the right to request their data in an electronic format to have it moved elsewhere under certain circumstances.
- Privacy by design and by default: Under GDPR, if you don’t already, you must consider information security and data protection in your planning from the word ‘go’, not just as an afterthought. Privacy by design has been championed by the ICO for some time but it is now an express legal requirement which makes Privacy Impact Assessments mandatory under some conditions. Children’s data has special protection for the first time under GDPR.
- Opt-in: Before collecting data from individuals you need their explicit consent, accompanied by clear privacy notices. It must also be clear how to opt out of communications. Verifiable consent is everything under GDPR, and it must be obvious how to withdraw that consent at any time. Under the DPA there wasn’t necessarily the requirement for opt-in to, for example, become part of an email marketing list.
- Accountability: You’ll need to be able to demonstrate that you are achieving compliance with principles of the GDPR – from staff training to documentation of your processes. It’s all very well thinking about points 1-7, but how are you going to prove that you have taken action?
For more information see our GDPR webpages, and the ICO’s Guide to the General Data Protection Regulation. New information is being added frequently as the guidance is expanded and improved. Their document ‘Preparing for the GDPR in 12 Steps’ also makes useful reading.
We’ll be looking specifically at ways your print fleet can contribute to GDPR compliance in a future post. As part of your office environment, data security within your print devices and solutions is just as important as data security within the rest of your IT infrastructure - call us today for advice.