Will review the Bill soon…

When do individuals have to be notified?

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

However, note the ‘fact’ for ‘myth #5′ on the breach reporting blog:

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

So, in essence, organisations will need to assess the ‘no risk, risk and high risk’ to people’s rights and freedoms. This assumes or requires organisations to somehow get to grips with what constitutes ‘people’s rights and freedoms’. Rights and freedoms (privacy?) are not easy to identify..

The ICO acknowledges this by stating in their blog:
Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

The Bill implements the EU General Data Protection Regulation (GDPR) and will replace the Data Protection Act 1998.

Myth #4

GDPR is an unnecessary burden on organisations.

Fact

The new regime is an evolution in data protection, not a revolution.

Read the ICO blog on GDPR is an evolution in data protection, not a burdensome revolution

Myth #2

You must have consent if you want to process personal data.

Fact:

The GDPR is raising the bar to a higher standard for consent.

Myth #3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.

Fact:

I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.

The ICO’s blog on consent is not the silver bullet for GDPR compliance

Shattering the myths about #GDPR – Read the first in a new series of ICO blogs, this one about fines scaremongering https://t.co/gpJV8P0Zcn pic.twitter.com/oxLZcMkktB

— ICO (@ICOnews) August 9, 2017

Today's highlight -just catching up #DPBill UK's #GDPR Planned Reforms at https://t.co/plYQsJetxk

— cher devey (@datachainrisk) August 7, 2017

My high-level map of GDPR fines (pdf)

Although my PhD research is not on GDPR fines, the outcome from my research should help organisations to be better prepared to respond to data breach incidents.

Not notifying affected data subjects when ordered by the data authority (ICO) fall under the high 1st level of fines i.e. 4% or EUR20M. However, failure to notify the data breach to the data authority (ICO) and to data subjects exposed organisations to the 2nd level of fines i.e. 2% or EUR10M. In essence be prepared to be fined when you failed to comply with the breach notification requirements, Art 33 and Art 34.

Note that when organisations have a security breach i.e. failure to comply with the data processing principles Art 5 (1)(f) (failure to use appropriate technical or organisational measures), this falls under the high 1st level of fines

So..there’s no way to avoid the fines unless you can totally avoid security breaches or avoid falling foul to the data processing principles.

Currently, the guidelines:

Guidelines on the right to “data portability”, wp242rev.01 pdf

Guidelines on Data Protection Officers (‘DPOs’), wp243rev.01 pdf

Guidelines on The Lead Supervisory Authority, wp244rev.01 pdf

Guidelines on Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA), wp248_enpdf

More to add…