Increasing Penalties For Breaching GDPR
The number of penalties issued for GDPR (General Data Protection Regulation) breaches, which is one of the strictest privacy laws in the world, has been steadily increasing since it was implemented by the EU in 2018, from a total of €436k in its inaugural year to fines hitting more than €1 billion in 2021 – a 521% increase compared to the €171 million the year before.
Some of the businesses that have been stung by the 412 GDPR penalties that were issued last year include messaging service WhatsApp who was dealt a €225 million fine, and Amazon who was handed a €746 million fine.
GDPR In The UK
Despite the United Kingdom leaving the European Union two years ago, British legislation is still closely aligned with EU law, so GDPR has been retained in domestic law as the UK GDPR.
GDPR – which governs the way in which we can use, process, and store personal data – requires organisations to safeguard personal data and uphold privacy rights. UK GDPR places specific legal obligations on a processor (someone who is responsible for processing personal data), such as maintaining records of personal data and processing activities. Processors are legally liable if you are responsible for a breach.
What Does Personal Data Include?
According to the Information Commissioner’s Office, personal data is information that relates to an identified or identifiable individual, so if it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
Should You Appoint a Data Protection Officer?
You should appoint a Data Protection Officer if one of the following applies to your organisation:
- 250 or more employees,
- Is a public authority or has an involvement in regular and systematic monitoring of data subjects on a large scale.
The DPO can be an existing employee or externally appointed, but must fulfil the following criteria:
- Be independent,
- An expert in data protection,
- Adequately resourced,
- Report to the highest management level.
Internal Processes
Organisations also need to establish processes to detect, report and investigate breaches, as GDPR requires that all organisations notify the ICO (Information Commissioner’s Office) of all data breaches that are likely to be damaging to an individual, such as identity theft or a confidentiality breach
If you process any personal data, you can register as a data processor with the Information Commissioner’s Office by visiting the ICO website: https://ico.org.uk/for-organisations/data-protection-fee/faqs-data-protection-fee-payment-and-online-registration/
If you would like any further advice regarding the above or information on how Aible can help with your HR concerns, get in touch with us ami@aible.co.uk.
