Protecting the data of your business should be one of your top priorities. If it isn’t then you are risking punishment. However, the standards expected and the punishments available are still unclear to many people.
Leading legal experts are struggling to agree whether the EU’s General Data Protection Regulation (GDPR) is in fact already in force in the UK.
If it is in force, and you are found to be in breach, then you could be fined up to four per cent of your organisation’s global annual turnover. That is if the UK’s data protection regulator, the Information Commissioner’s Office (ICO), waits until May 2018 to act on the issue.
GDPR IS in place
In the opinion of Bridget Kenyon, head of security at University College London, GDPR is already in force.
“Actually GDPR is in force now, but what’s not in place yet is the penalties. So if there’s a breach now, the ICO could hold onto it and give you the penalties in May 2018.”
GDPR is NOT in place
However, the ICO disagrees. A spokesperson for the organisation said:
“GDPR comes into force in May 2018, until then whilst organisations should be preparing for the new regulation, the Data Protection Act remains in force and any breaches or civil monetary penalties will be considered under that legislation.”
What does the document say?
Article 99 of the regulation, which governs its entry into force and application, reads:
‘This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.’
The GDPR was published in the Official Journal of the European Union on the 4th May 2016, and so technically came into force on 24th May 2016.
However, Dr Kuan Hon, consultant lawyer for Pinsent Masons clarified this by saying:
“That means that, technically, yes, it’s already in force, and it’s been in force since late May 2016. But, it doesn’t apply as law in Member States until 25 May 2018.”
“If an organisation has an ongoing breach now, but doesn’t discover it until after 25 May 2018, or discovers it but doesn’t fix it until after 25 May 2018 – then it would be exposed to the higher penalties, but this should incentivise organisations to detect and remediate breaches sooner rather than waiting till after 25 May 2018,” said Hon.
To compound this, companies are often asked not to discuss a breach by law enforcement agencies. This allows them time to track down the hackers and make an arrest. Therefore, if a breach was discovered but not disclosed until after the new punishments come into effect, they could still face a strong penalty, despite doing what is best for the police.
What should businesses do?
In this case, we recommend erring on the side of caution. If you discover a breach, fix the issue as soon as possible to avoid any potentially stronger punishment come 25th May 2018.
Fortunately for our clients who choose to dispose of their unwanted computers and laptops with Tier 1, they can be confident in the knowledge that their data is fully secure. We’re proud to be a Blancco ‘Gold’ partner and a strong, process-led approach ensures enough checks and balances to guarantee secure sanitisation of data.
If you are looking to dispose of some your organisation’s old computers then you know you will be in good hands with Tier 1. To speak to one of our team today, call 0161 777 1000.