Safe Harbour – Preparing for the New Data Protection Laws

With ever-evolving technology and more data going online by the day, it’s no secret that the law has struggled to keep up. There have been many developments in Data Protection laws recently and in the wake of the Safe Harbour ruling and with tougher EU privacy rules (in the form of the draft Data Protection Regulation) expected to come into force in early 2017, it’s more important than ever that you know what all of it means for your data, and your customers’, and prepare accordingly.

The new bill will affect everyone collecting or storing data online or in the cloud so burying your head in the sand is no longer an option. The grace period for due-diligence ends Jan 16th 2016, so by then you must know where your data is, the laws that govern it, what you need to do to secure it, and the very real price you will pay if you don’t.

What are data protection laws?

Data protection laws exist to strike a balance between your right as an individual to privacy and the ability of organisations to use data for the purposes of their business. The bill extends an obligation to ensure appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data to anyone who stores other people’s personal data.

What are your obligations?

In order to comply with the current Data Protection Act, a data controller (people who determine how data is processed) must comply with the following eight principles:

1. The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
2. Data should be obtained only for specified and lawful purposes.
3. Data should be adequate, relevant and not excessive.
4. Data should be accurate and, where necessary, kept up to date.
5. Data should not be kept longer than is necessary for the purposes for which it is processed.
6. Data should be processed in accordance with the rights of the data subject under the Act.
7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What are the main risks if you don’t comply?

Financial – the most obvious and immediate issue is that you and your clients will probably lose money if you experience an attack. You’ll experience the joy of some hefty non-compliance fines, which are currently in the region of ￡500k, but the expectation is in future this will move to a percentage of your overall worldwide turnover.

Operational – the time it will take to get your business back on its feet and potentially moving your data.  And lost time means lost revenue.

Reputation – potentially the worst in the long term, reputation is easy to lose and hard to get back.

This is an extract from the full blog: For greater detail, further insights and guidance on how to ensure compliance, follow the link: https://bit.ly/1LVd6Gl