The impending arrival of the EU General Data Protection Regulation is requiring businesses to implement changes. We will be posting a mini blog series exploring what GDPR is, how it will it affect your business and the steps you can take to prepare. Check out the first post in the series here.
Although supervisory authorities are already defined under the Data Protection Directive of 1995, the General Data Protection Regulation (GDPR) will entrust supervisory authorities with far greater powers than before in the monitoring of data and the ensuring of data protection. The roles of supervisory authorities under the new GDPR legislation are outlined in the GDPR’s sixth chapter.
The current supervisory authority for national data protection in the UK is the Information Commissioner’s Office (ICO). Once the GDPR becomes fully enforceable in May 2018, the ICO will continue to function as the UK’s supervisory authority.
For businesses that control or process data on residents in multiple EU member states, the GDPR will require that they determine just one supervisory authority to be their lead authority. Under most circumstances, the lead authority will be the supervisory authority established in whatever member state a business considers its place of central administration to be located.
Supervisory authorities are obliged to help businesses in keeping up to date with any changes to legislation. Businesses must take charge of their own compliance and will be solely accountable for any noncompliance after the transition to the GDPR, but supervisory authorities must also provide sufficient advice and guidance for them to follow. In accordance, the ICO has issued their own informative guide to the GDPR on their website.
Under the GDPR, supervisory authorities must also clearly indicate the methods by which any complaints concerning data protection are to be reported to them. If a complaint is found to be valid it is to be handled within a reasonable timeframe and at no cost to the reporter. Complaints can be easily reported to the ICO on their website or through a live chat or helpline.
While supervisory authorities are expected to assist data controllers and processors in their compliance with the GDPR, businesses who control or process data must also be quick to cooperate with supervisory authorities. Data controllers and processors must maintain accurate records of personal data, to be made readily available to supervisory authorities at short notice. Under the GDPR, supervisory authorities will also exercise the right to obtain full access to any equipment and office premises owned by businesses in addition to any data they own.
If data controllers or processors fail to comply with the GDPR, supervisory authorities will be able to impose more severe sanctions than before. Depending on the offence committed, sanctions range from written warnings to fines of up to 20 million euros, or 4% of 12-month turnover—whichever is greater.
In keeping with the overall intents of the GDPR then, the further empowerment of supervisory authorities will prove favourable to those who adhere to the new legislation and a serious impediment to those who do not. If you are sure to correctly protect any data that you control or process, you can consider your supervisory authority to be a valuable ally in the future.
– Freddie Kentish
Leave your email below to stay up to date with our latest tips, tricks and trends on all things business?