What is the GDPR and Who is Affected?
The General Data Protection Regulation (GDPR) was adopted and approved by the EU parliament in April 2016 and will supersede the UK’s Data Protection Act 1998.
The GDPR directive will come into force Friday 25th May 2018, and will apply to organisations located within the European Union (EU) but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The main intent of the GDPR directive is to give individuals more control over their personal data, impose stricter rules to companies handling it, and make sure companies embrace new technology to process the influx of data produced.
From 25th May 2018, penalties for failing to abide by the GDPR’s principles will lead to fines of up to 20 million euros or 4% of global annual turnover, whichever is greater. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
According to Article 4 of the EU GDPR, controllers and processors are defined as:
- Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
How to Prepare for GDPR
The Information Commissioner’s Office (ICO) has produced a checklist that highlights 12 steps businesses should take to prepare for GDPR. Let’s look at these steps below:
- Awareness: Ensure decision makers and key people in the organisation are aware that the law is changing to GDPR.
- Information You Hold: Document what personal data your firm holds, where it came from and who you share it with. Consider undertaking an information audit.
- Communicating Privacy Information: Review your current privacy notices and create a plan for making any necessary changes in time for GDPR implementation.
- Individual Rights: Check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject Access Request: Update your procedures and plan how you will handle requests within the new timescale and provide any additional information.
- Lawful Basis for Processing Personal Data: Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent: Review how you seek, record and manage consent and whether you need to make changes. Refresh existing consent now if it does not meet the GDPR standard.
- Children: You may need to have a system in place to verify individual’s ages and to obtain parental or guardian consent for any data processing activity.
- Data Breaches: Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessment: Conduct a Data Protection Impact Assessment (DPIA) to identify risks to privacy and determine solutions for mitigating said risks.
- Data Protection Officers: It may be necessary to designate a Data Protection Officer or someone within the organisation to take responsibility for data protection compliance.
- International: If your organisation operates internationally, you should determine which data protection supervisory authority is it governed by.
Want to learn more? Join expert speakers from Eze Castle Integration on Wednesday 13th September 2017 for a complimentary webinar on GDPR. To register, please email eci.marketing at eci.com.