This article outlines the key themes of the new General Data Protection Regulation (GDPR) to help businesses understand their corporate responsibilities and the challenges of this new legal framework.
Key facts about GDPR
- A data protection regulation to protect the data businesses hold on individuals.
- It is legislation with large fines for non-compliance
- It makes organisations much more accountable for the data they hold.
- Applies equally in all EU member states and to those offering goods or services to individuals within the EU
- Stricter stipulations apply to firms with over 250 employees
- Also applies to SMEs with under 250 employees when data processing carried out is likely to result in risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data as defined in GPDR Article 9
- It will be enforced across Europe from 25th May 2018
Overview of Legislation
GDPR is a business-critical legislation. Whilst it retains some similarities with the Data Protection Act 1998 (DPA), it is poised to redefine data privacy with some key new requirements and changes from the present DPA.
GDPR applies to ‘controllers’ and ‘processors’ and relates to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offers goods or services to individuals within the EU.
The GDPR legislation is focused on three areas of activity relating to data management:
- Retention and disposition of personal information
- Data inventory and remediation
- Data architecture and design
Incorporation of GDPR will provide the following challenges to organisations:
- Organisations must obtain individual’s consent to use data.
- Privacy impact assessments to be conducted to assess risks
- Any personal data breach to be reported by your company within 72 hours to relevant authorities
- Individual’s Rights
- Individuals will have the right to be informed (fair processing information)
- Individuals will have the right to erasure (right be forgotten, i.e. deleted)
- All individuals will have the right of access, object and rectification
- Individuals will have the right to data portability so data subjects can request their data to be moved from one organisation to another.
- Individuals will have rights related to automated decision making and profiling.
- Regulator backed right for individuals to sue for compensation if they are distressed by a legal breach.
- Regulatory Powers
- EU data protection regulators will have more intervention powers.
- Strengthened controls in the way personal data is shared and exported from the EU.
- €20M or 4% of annual turnover, whichever is the greater, in potential fines for non-compliance
This final point seems particularly punitive.
GDPR is all about INFORMATION GOVERNANCE. Corporations do not understand the problem of how to deal with the fragmented
information they hold on individuals and how they will now be accountable.
GDPR will force the issue and there will be costs in the changes they will need to make to manage their information and how they manage legacy and orphan data. It will be critical how companies and organisations manage and deal with personal data. Company director and executives may think they have time but May 2018 is less than 7 months away and investigating systems and making programming takes time. Personal data processing will need a great deal of awareness, planning and coordination.
Directors, Stakeholders and Investors need to understand this law and realise that the responsibility will rest with the Company’s Directors
Some final points to consider
GDPR compliance will require the following:
- Data Privacy being integrated into records retention.
- Privacy needs to be designed into systems before they are implemented.
- Personal data for Customers and the Workforce needs to be managed and held securely
- Businesses will need to demonstrate that their personal data complies with the legislation. This will involve the systems being auditable, processes documented and data managed securely.
- Every business with over 250 employees will have to appoint a Data Protection Officer who will be responsible for the sensitive personal data. Smaller businesses will not need to appoint a DPO but will still need to make someone responsible for overseeing personal data management.
Government thinks this will be a catalyst for business to make this exercise to improve security and gain a competitive advantage.
Contact Edward Tudor at firstname.lastname@example.org if you would like more information. You can also review the Information Commissioner’s Office overview of the GPDR legislation by clicking here.