Have you ever thought about just how much of your personal information is held by countless businesses or organisations? Name, email addres, race, political preferences, memberships – the list is endless!
Whilst currently the Data Protection Act does offer some protection to this information being passed on, from 25th May the EU’s General Data Protection Regulations will come into force. This will directly affect anybody who controls or processes any form of personal information and essentially means that personal details can only be used ‘lawfully’; for example, prior consent is given by individuals or it is to comply with legal obligations.
A new concept being brought in by the GDPR is a person’s ‘right to be forgotten’. At any point, anybody, can contact an organisation and demand that any personal information belonging to them is deleted entirely.
For organisations which hold or process data, a breach of these regulations could result in catastrophic consequences. Firstly, the person whose data has been breached must be informed. Crucially then, any breach must be reported to the Information Commissioners Office within 72 hours of first knowledge of the breach.
Failure to report within this time frame could result in a £10million fine. If it is found that your organisation did not have sufficient systems in place to protect this information in the first instance, or there was no justification in holding the data, the fine could be up to £20million.
Could your organisation survive these penalties?
For drafting compliant privacy statements, policies or reviewing your Terms and Conditions or other areas of contract law, contact us on firstname.lastname@example.org.