What is GDPR and Why Do You Need To Know?
Geoffrey Cooling
Providing Strategic Communications & Business Channel Modelling Services
In this the first of a couple of articles I would like to introduce you to GDPR and outline what it will cover. While BREXIT is looming, it will in fact have little effect on GDPR, the UK Government has in fact championed the changes and are expected to adopt them even if they completely separate from the EU.
So let's talk about the act, before I do, I want to point out that this covers your busines, it covers every business from a one man show to a multi national.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The regulation was adopted on 27th April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable
The GDPR does not just cover data within the union, it also addresses the export of personal data outside the EU. In essence, the regulation is designed to give control back to citizens and residents over their personal data. It also will simplify the regulatory environment.
Data Includes Paper Records
While many will consider this a digital regulation, it is important that we also remember that data can be held on paper records. So we need to consider Patient record cards and their handling in our considerations as well as true digital data.
The Scope
The regulation applies if the data controller (that's you) or processor (Sycle, IPRO, Audidata etc, basically any customer data management system) or the data subject (person) is based in the EU. However, the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
I will cover in a later article who exactly is compliant and who isn't right now. Surprisingly some of the Patient management systems are not GDPR compliant. Although I have no doubt that they are working towards it. Some are competely compliant.
What is personal data?
According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
The Penalties
Under GDPR organizations in breach of the regulation can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
What Now?
Simply put, you seriously need to consider your handling of data. You need to consider the security of any personal data collected. As I said, that includes paper records.