What is GDPR (General Data Protection Regulation)?|
GDPR stands for General Data Protection Regulation. More specifically GDPR is an 88-page document, adopted on the 27th April 2016, with the full title:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Designed by the European Parliament, European Council and European Commission – it is a Regulation intended to strengthen and unify data protection for all individuals within the European Community (EU). The underpinning rationale is to give citizens back control of their personal data. It is also intended to simplify the regulatory environment for international business, by unifying the Regulation within the EU.
On the 25th May 2018, GDPR will replace the current Data Protection Act (1998). Note that the Data Protection Act was a directive, whereas GDPR is a regulation. A regulation is a binding legislative act. A directive is based around working toward and achieving a goal.
GDPR will in effect become ‘law’ on the 25th May 2018 with penalties for non-compliance are significant (the maximum fine being up to 4% of annual global turnover (or 20M Euro).
The governing body in the UK (the authority with responsibility to enforce and penalise) is the ICO (Information Commissioners Office), headed by the Information Commissioner Louise Denham. Originally formed in 1984, the ICO oversees a number of data, privacy, and freedom of information regulations – with the specific remit: The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
More information regarding the ICO (specifically around monetary penalties taken to date) can be found here.
The Key Points to be aware of for GDPR are:
- Scope: The Regulation primarily applies to a business established in the EU, but will also apply to businesses outside of the EU that manipulate data relating to the provision of goods or services to the EU.
- Data Processing: The processing of data must comply with six general principles and satisfy a minimum processing condition.
- Data Processors and Data Controllers: The processing of data is done so as a ‘Processor’ or ‘Controller’ – a Processor just acts on the instructions of a Controller. Contractual terms will need to include new provisions. Processors may be jointly liable for any compensation claim
- Data Protection Officer: Depending on the level of processing your business undertakes, you may be obliged to appoint a Data Protection Officer.
- Individuals Rights: Individuals have new rights such as – the right to be forgotten, the right to object to direct marketing, the right to access their own personal data.
- Consent: Obtaining consent from an individual or organisation will be much harder under the new Regulation. Specific consent must also be sought where data may be transferred outside of the EU.
- Children: Online consent must be authorised by an adult.
- Data Security: Data must be kept secure (e.g. encrypted) and any security breach of data must be reported to the supervisory authority (i.e. ICO) within 72 hours.
- Accountability: Emphasis is not only on the compliance of the six general principles but also on an ability to evidence best-practice e.g. certification.
- Privacy Policies: Include a need to be much more explicit, transparent and intelligible.
Six reasons why most Businesses believe GDPR is important
- GDPR is the biggest change in the UK to its Data Protection laws in over 20 years
- The changes are significant and far-reaching for almost all businesses
- GDPR is a regulation (law) not a directive (the current Data Protection Act)
- Maximum penalties are severe
- The exponential increase in cyber crime will further expose non-compliance
- Brexit will make little if any difference
How you and your business can prepare for GDPR
- Get Board Level awareness within your organisation. GDPR and Cyber Security are important and significant enough to form part of any Management Board Risk Register. The Directors within your business certainly need an awareness (not least of the consequences of non-compliance); you may also need their budget approval for necessary research and rectification
- Undertake an audit of your existing Data Subjects and any Data Protection policies – in-line with new GDPR requirements
- Determine whether your business needs to appoint a Data Protection Officer. At least identify a single point of contact within your organisation
- Consider whether you need to undertake a DPIA (Data Protection Impact Assessment), based upon the risks associated with the specific processing you are undertaking
- Ensure your IT Systems/Department have the necessary tools and policies in place to enforce and comply with Data Subject’s rights e.g. the ability to surface data, to encrypt data, to erase data, to transfer data
- Determine if, why and where data is held – or could be transferred – outside of the EU
- Ensure that Data Processing Systems are built in adherence to a ‘Security by Design’ methodology
- Make sure that all points of data collection comply with GDPR ideals i.e. explicit opt-in where required, documented rationale as to specifically what is being held and for what purpose
- Seek best-practice advice and where required seek appropriate certification e.g. ISO27001
- Remember that your Data Subjects are not only any prospects, customers – but also your employees (who have significant rights)
- Review your Supplier Agreements – specifically around the concept of Data Processor and Data Controller
For further guidance you can download our following GDPR Resources:-
- Our GDPR Summary Guide – over 80 pages of useful reading for you and your board members
- Our GDPR Checklist
- GDPR Event – Free to attend on the 9th May 2017 in London
- You can contact us for GDPR Data Protection Consultancy
Share this article