GDPR - what will happen?

**CapnAHAB** · 12 February 2018, 13:13

Check out the ICO's guide here : https://iconewsblog.org.uk/2017/09/0...ach-reporting/

Long and the short of it, those who have been adhering to the Data Protection Act thus far will probably only need some tweaks to policy and procedure. Those that have not will have quite a bit of work to do, one would imagine.

**original PM** · 12 February 2018, 14:15

WHS

You do need to re-ask for marketing permission and by what channel - once gdpr drops if you do not have that you cannot contact people as you are not supposed to be retaining their PII.

Watch out for non technical storage for those of you who like to keep paper copies of everything.

A number of the high profile PII leaks have been down to 2 simple reasons
1) Absolutely woeful data security.
2) Deliberate sales of PII to generate revenue

I think the biggest battle companies will face will be between data managers whose job it is to safeguard the data and marketing managers who be under pressure to find new and exciting ways to market to people without breaking GDPR.

**LondonPM1** · 12 February 2018, 22:31

Originally posted by saptastic View Post

Just out of interest.......

There is SO much talk about GDPR in May.
Do those closer to it know what will the landscape look like post May?
i.e. I am struggling to know how it will be enforced - who by? or will it filter out?

There must be so many businesses especially SME's that could fall foul of the legislation I imagine.
Is it one strike and they face a huge fine?

Cheers.

I ve been wondering myself - None of the big banks seem ready so what normally happens is they extend the date for compliance

Its a hefty fine from memory - I wonder what will happen

**stek** · 12 February 2018, 22:57

We’re good to go on it here in Dublin. Slept through a meeting about it only ladt week...

**isec** · 13 February 2018, 11:03

Originally posted by saptastic View Post

Just out of interest.......

There is SO much talk about GDPR in May.
Do those closer to it know what will the landscape look like post May?
i.e. I am struggling to know how it will be enforced - who by? or will it filter out?

There must be so many businesses especially SME's that could fall foul of the legislation I imagine.
Is it one strike and they face a huge fine?

Cheers.

There is a lot of scaremongering in the industry. There will be no enforcement as such, its a law change and companies are expected to comply with it, its usually when the proverbial hits the fan that these things comes to light. Those fines are based on a number of conditions, the type of data leaked (personal data or sensitive personal data), the amount of records leaked, lack of compliance with the law itself and current state of security controls in place. These are some of the contributing factors that will determine the fine by the ICO, or local authority, not to mention other possible regulatory fines (depending on your industry) and also litigation from other sources, customers etc.

Lots of companies will not comply with the law change come May, what will happen? Nothing, as long as you don't get breached, one thing is for certain, some companies will make the headlines and examples will be made of such companies if they have a flagrant disregard for the protection of data

Post May, breaches will continue to happen as the threat landscape continues to evolve, all you can do is try and stay ahead of the game.

**SeanT** · 13 February 2018, 11:29

Some small businesses and charities will get fined slightly more than before by the ICO, and the big players will carry on getting away with it - aka business as usual.

**Antman** · 13 February 2018, 12:18

GDPR fines are a lot bigger than current DPA fines.

**Swamp Thing** · 13 February 2018, 19:24

Originally posted by isec View Post

There is a lot of scaremongering in the industry. There will be no enforcement as such, its a law change and companies are expected to comply with it, its usually when the proverbial hits the fan that these things comes to light. Those fines are based on a number of conditions, the type of data leaked (personal data or sensitive personal data), the amount of records leaked, lack of compliance with the law itself and current state of security controls in place. These are some of the contributing factors that will determine the fine by the ICO, or local authority, not to mention other possible regulatory fines (depending on your industry) and also litigation from other sources, customers etc.

Lots of companies will not comply with the law change come May, what will happen? Nothing, as long as you don't get breached, one thing is for certain, some companies will make the headlines and examples will be made of such companies if they have a flagrant disregard for the protection of data

Post May, breaches will continue to happen as the threat landscape continues to evolve, all you can do is try and stay ahead of the game.

There will be enforcement, and it will be easier to enforce GDPR regulations than it was for the DPA 1998, e.g:
- data subjects no longer have to prove that there was a data breach, they just have to show that some harm was done. So the 'bar' will be lower;
- companies must make data subject's consent to opt out more explicit (so, no more odd-looking tick boxes or double negatives that trick you into accepting marketing material or having your PII sold). Burden of proof shifts from data subject to the organisation;
- data breaches used to incur a £500K fine. Now the fine will be 2-5% of annual turnover;
- subject access requests no longer incur a fee, and data can be extracted and sent electronically. Data subjects will no longer have to ponce about paying cheques and waiting loads of time for redacted bits of paper to arrive in the post;
- nature of personal data now extended to include online identifiers like IP addresses and cookies - companies will no longer be able to claim these aren't within the meaning of PII;
- it's an EU-wider regulation (unlike DPA), so harder for companies to hide in different jurisdictions;

There's more, but the above gives a good flavour. So yes, it'll be easier for the ICO to enforce. Ignorance will be no excuse!

**BR14** · 13 February 2018, 20:09

Originally posted by Swamp Thing View Post

There will be enforcement, and it will be easier to enforce GDPR regulations than it was for the DPA 1998,Ignorance will be no excuse!

Resistance is useless!

GDPR - what will happen?