GDPR – The need to know!
Michael Conway
Director at Renaissance | Cyber Security | Encryption Devices | Business Continuity
Many organisations will be aware of the General Data Protection Regulation (GDPR) and how it will completely change the way personal information is handled by organisations. The regulations will have far-reaching consequences for how organisations acquire, store and use personal data. The date for this new legislation; 25th May 2018.
Its implementation has sparked many debates and questions, but in this blog we will aim to answer some underlying questions.
What exactly is GDPR?
It is a new European regulation that covers data protection. It is aimed at improving and unifying the way personal data is currently protected and will replace the current European Data Protection Directive and the Data Protection Act 1998 in the UK, which was adopted when the internet was in its infancy.
What is considered “Personal Data?”
GDPR applies to ‘personal data’ meaning; “Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
Such data points can include names, addresses, pictures, bank details, IP addresses, ID numbers, physical/physiological/genetic/economic/cultural features or attributes. In basic terms, any piece of information that identifies you, as you.
For more info on Personal Data, click here
Who does GDPR apply to?
GDPR applies to data controllers and data processors. What’s the difference?
A controller determines the purposes and means of processing personal data whereas a processor is responsible for processing personal data on behalf of a controller.
In other words, it applies to every organisation that processes, stores or transmits personal data of EU residents.
NOTE: GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive and for national security purposes.
For more info on who GDPR applies to, click here
Does GDPR apply to organisations outside the EU?
Yes! GDPR applies to ANY company that processes the personal data of EU citizens. This means that it not only applies to EU based organisations, but that it also applies to those organisations that are based outside of the EU that offer goods or services to EU citizens or any organisation that processes the data of EU citizens.
What if I don’t comply with GDPR? What are the penalties?
When GDPR is enforced, organisations that breach the regulations may be fined either;
- 2% - 4% of annual global turnover or
- Up to 20 million Euros, whichever is higher
- Frequent breaches of the regulations and failure to address the issue can result in higher fines of up to €40 million
For more info on the penalties and fines, click here
Will the penalties be enforced and how?
It will be up to the national data protection authorities in each jurisdiction to enforce the new rules. It’s also important to be mindful that organisations can be sued privately, which means that non-compliance can be costly, even if a company doesn’t get fined by their Relevant Data Protection Authority.
However, we will not know the true picture until 25th May.
Do I need a Data Protection Officer?
GDPR calls for some types & sizes of organisations to appoint a nominated Data Protection Officer. To find out whether you need to appoint a DPO, or not, click here
What are the individuals rights under GDPR?
As the purpose of this new legislation is to increase privacy rights, it will give individuals more rights and control of their data whilst giving them fair and transparent information about the processing of their personal data.
To be more specific, individuals will have the following rights under GDPR:
- The right to be informed
- The right of access.
- The right to rectification.
- The right to erasure (also referred to as the ‘right to be forgotten’)
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
For more detail on individual rights, click here
What departments of the organisation will be affected?
It will affect any area of your business that deals with personal data, including the data of employees, suppliers and other stakeholders. Human Resources, Sales, Marketing, Customer Services, IT, Finance and Legal are just a few that will be affected.
How will Brexit affect GDPR in the UK?
Brexit will bring a lot of uncertainty. Regardless, organisations based in the UK that will be handling data related to EU citizens will still be affected by GDPR.
Furthermore, the UK's Data Protection Bill and GDPR go hand in hand, so even if the UK is not in the EU anymore, it will have similar or greater obligations as GDPR.
Want to know more?
With the new legislation just around the corner, I hope this provides some clarity to what it entails. However, if you want to know more detail on GDPR and what it implies, visit;
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/