The GDPR countdown is on, and with the legislation coming into effect on the 25th May 2018, businesses large and small are starting to prepare for the upcoming changes to data protection within their organisations…
But what is GDPR?
In simple terms, the General Data Protection Regulation is a brand-new set of rules intended to give EU citizens more control over their data. The new rules have been set out to reflect the world we’re living in now, and to make data processes ‘fit for digital age’.
Under the new rules, organisations will need to be sure that they are gathering personal data legally and under very strict conditions. Businesses will need to ensure that whatever data is collected is also protected from misuse and exploitation; whilst respecting the rights of data owners.
The definition of personal data under GDPR has been extended from the existing legislation and now includes name, address, photo’s, IP address, sensitive personal data such as biometric and genetic data that could be processed to identify an individual.
Under the new regulation consumers will have easier access to their data and how it is processed; organisations will need to detail how they intend to or use customer information in a way that is clear and understandable to consumers. Another new change includes the right to erasure, also known as the ‘right to be forgotten’. This enables individuals to request the removal or deletion of personal data where there is no compelling reason for its continued processing.
When the new legislation comes into effect organisations will be obliged to report any data breaches that involve unauthorised access to or loss of personal data, which is likely to cause risk to the rights and freedoms of individuals and could lead to damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage. Any breach must be reported to the ICO within 72 hours of the breach.
The new regulation can bring hefty fines if organisations fail to comply. The maximum fine will be 20 million euros or four percent of worldwide turnover – whichever is greater. The fine will depend on how severe the breach is deemed to be, and covers infringements of the rights of data subjects, unauthorised international transfer of personal data and finally failure to put procedures in place for or ignoring subject access requests for their data.
We think it’s fair to say that GDPR sounds pretty complicated, however for the most part it’s about consolidating current principles and establishing what exactly needs to be achieved in order to comply, and by determining who the company’s data controller is to ensure these processes are put into place and managed correctly.
Although the UK is set to leave the EU on 29 March 2019, the UK government has stated that this will not have an effect on GDPR being enforced in the country, meaning organisations in the UK will still be required to comply with the General Data Protection Regulation.
For more information on GDPR and how it will affect you and your business, visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/