GDPR – Liabilities to your business

Under GDPR it won’t just be the Data Controller (DC) who is held liable for data processing issues. Liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This will help to ensure that companies / organisations take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.

Privacy Must be Designed and Built-in to the System

Privacy by design means that your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way.

If you use 3rd party companies e.g. cloud suppliers, you are reliant on them building-in privacy by design, such as encryption. Other elements of your systems, such as bespoke software written before privacy by design and using software that doesn’t use encryption is, therefore, likely to be non-compliant. Old systems may, therefore, need to be replaced.

Keeping Audit Logs

Under GDPR something as simple as a published privacy policy will no longer suffice. Companies / organisations will have to keep an audit log of how they are compliant. Privacy must be by default, and companies / organisations must have concrete proof of their compliance.

The Regulations Apply Wherever You are in the World

Under GDPR, any European data protection authority is able to take action against organisations regardless of which country they are based in.

The Penalties are Much Bigger

The penalties for non-compliance with GDPR are much greater than the penalties for non-compliance with the existing Data Protection Act. Figures / analysis by Oliver Wyman, for example, show that FTSE 100 companies could face fines of up to GBP 5 billion for breaches of the GDPR. Had GDPR been in place for the past five years, the top listed UK companies could have been fined GBP 25 billion.

Under GDPR, failing to gain consent to process data or a breach of privacy by design, will mean that companies / organisations will be fined up to €20 million, or 4% of their global turnover (whichever is greater).

Under GDPR, fines will be levied using a tiered approach, depending upon the scope of the violation. Lesser violations e.g. records not being in order, or failure to notify the supervisory authorities, or not conducting a PIA where it was necessary, could mean that companies / organisations incur fines of 2 per cent of global turnover.