GDPR- What you will need to know.

What you will need to know.

As you may have seen already all over LinkedIn that the implementation of GDPR is creeping up on us. With GDPR coming into place so soon, it is highly recommended to learn as much as you possibly can about how you manage your customer’s data.

The enforcement of the GDPR begins on the 25th May 2018.

What is it?

GDPR is the General Data Protection Regulation- It is the law governing the way data is regulated and managed by businesses within the EU, to respect the rights of the EU citizens. The regulation was created back in 2016, but from 25th of May the governing bodies overlooking the GDPR can start investigating whether businesses are being compliant. Most of the investigations will initiate from customer complaints! With the GDPR taking non-compliance very seriously, it is an absolutely must to understand the impact of how the implementation of the GDPR regulations will affect your job role within your business.

Who does it affect?

It applies to anyone who processes data of an EU citizen - It not only affects businesses in the EU but the companies that deal with customers within the EU. Meaning companies that may be based in, for example; The USA- If they are a business dealing with clients within the EU they must be GDPR compliant too. It also affects online businesses with leads and/or sales coming from the EU.

How is it enforced?

Think about the GDPR as the tougher, stricter and non-forgiving version of the UK law ‘The Data Protection Act’ but instead controlled through the EU. The GDPR is intended to be the powerhouse that will enforce a heavier hand on Data Misuse- It isn't only about monetising on non-compliance, it is focused on protecting EU citizen's data. Data protection Authorities have the ability under new law to suspend data access or processing, reprimanding companies, or issue fines to non-compliant companies. Fines range between 2% worldwide annual revenue or 10 Million Euro (Lower Level) to 4% or 20 Million euro (Upper Level), whichever is higher.

Core principles of the GDPR - It creates laws that guide data processing .

These are the 6 bases for processing data.

1. Consent (voluntary & can be revoked at any time)

2. Contractual Necessity

3. Compliance with Legal Obligation (Specific to EU)

4. Protect Vital Interest

5. Legitimate Interest

6. Public Interest

The GDPR is being put into place to create and respect data subject rights.

This is the change from the data being owned by the company who collects it to the person creating the data. Putting the person in control of what data is owned by the company.

6 Key Data Subject Rights

1.      Right to be forgotten

2.      Right to access data

3.      Right to portability

4.      Right to Restriction of processing

5.      Right to rectify

6.      Right to object

What businesses will need to disclose –

Who is managing their data (contacts), what you intend to do with their data, how will you protect their data? Why you need their data, how long will you store their data? What are their rights to their data? Who else gets their data?

Within the guidelines of the GDPR, businesses will have to formulate roles and responsibilities of data controllers and processors.

Data Controllers –

·        Taking appropriate measures to ensure processing occurs properly (audits, processes and records).

·        Data mapping to consider what’s being processed and the risk of losing that data.

·        Implementing data protection policy, proportional to sensitivity of data.

·        Having a written code of conduct.

Data Processors –

·        The implementation of sufficient security measures.

·        Being transparent about the use of sub-processors – This can only be done with the controller’s consent and requires an additional contract.

·        Processors must have contracts with the controller that addresses what data is being processed and how it is being used.

With all this in mind and with so much at stake with non-compliance, I would highly recommend learning as much of the law as possible as this could possible affect you personally - Within your job role or the way some industries run their businesses.

You will need to know this!

*This article does not include every detail of the law nor is it legal advice. But just a few key points you should know.

The ICO is the governing body overlooking the compliance of the GDPR. They have a data protection self assessment toolkit and a 12 step guide to keeping your business within the law. This is the link to the ICO website to find these guides: ICO GDPR Guide

Happy compliance!