You’ve probably heard of GDPR but what does it mean? Firstly, it stands for General Data Protection Regulation. The main objectives are:
- To give everyone in the EU back control of their personal data
- Simplify the regulatory environment for international businesses as there are so many regulations that it’s all getting a bit confusing
It will apply from 25th May 2018 so just over a year to prepare. It will also supersede the Data Protection Act 1998 (the one we all know and love).
But we’re leaving the EU so can’t I ignore it? Even through Article 50 has been triggered, the UK won’t be out of the EU by May 2018 so this regulation is not something to be ignored!
Is it just for organisations in the EU? No. It applies to any organisation that markets goods or services to EU residents, regardless of its location.
So who does it apply to? There are two groups that should abide by the GDPR:
- Controllers. A data controller states how and why personal data is processed (this could be any organisation whether charity or profit making company)
- Processors. A data processor is the group doing the actual processing (this could be an IT company)
It’s the controller’s responsibility to ensure their processor abides by the new regulations.
So what do we actually have to do? Controllers must ensure personal data is processed lawfully, transparently and for a specific purpose. Once that purpose has been fulfilled then the data is no longer required so it should be deleted. So personal data can’t just be kept forever. They’ll have to keep a record of how and when an individual gave permission – and make it easy for that individual to withdraw their consent. According to the European Commission, personal data is “any information relating to an invididual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking sites, medical informaton, or a computer’s IP address”
Controllers also have to make it easy for people to access their data (they’ll have to approach the company to get access and the company must get back to them within a month).
There’s also the “right to be forgotten”. This is when inviduals can ask for their data to be deleted if it’s no longer necessary for the purpose for which it’s been collected.
What happens if there’s a data breach? If a company suffers a data breach then they must notify the data protection authority within 72 hours. If this doesn’t happen then there’s a big fine…up to 10m Euros or 2% of your global annual turnover, whichever is greater.
What happens if you don’t comply with the new regulation? The fines get worse. Up to 20m Euros or 4% of your global annual turnover, whichever is greater.
So what’s next? Start preparing now. Determine if your company needs a data protection officer to oversee the process. Take a look at your current processes and procedures for data security, you may already be covered. Ensure any personal data that you currently store is secure – this should already be the case though. Check the data protection policies of your 3rd party suppliers as they may be your processors – you don’t want them to let you down. You may have to amend the contracts with your suppliers to make sure everything is covered. This is the toughest privacy regulation in the world so don’t leave it to the last minute. As you can imagine, the internet is full of useful advice. I recommend that your next port of call is the main GDRP website