The General Data Protection Regulation (GDPR) emphasising transparency, security and accountability.
The GDPR replaces the Data Protection Directive 95/46/EC, it was approved and adopted by EU parliament in April 2016, and enforcement will commence from the 25th of May 2018. The act was amended for the following reasons
- to harmonize data privacy laws across Europe
- to protect and empower all EU citizen’s data privacy
- to reshape the way organizations across the region approach data privacy.
The GDPR is a binding legislative act which must be entirely enforced throughout the EU.
In contrast, the previous Data Protection Directive is a legislative act which set out goals which were expected to be achieved by EU countries.
The GDPR is applicable to organisations of all sizes, including Small & Medium Enterprises (SMEs)
The GDPR not only applies to organisations that are located and operate within the EU but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU citizens. In particular, it applies to all companies processing and holding the personal data of citizens residing in the European Union, regardless of the company’s location.
This hopes to ensure that EU citizens can trust that the personal data they may supply to any company worldwide is treated exactly the same as it is to a company in their own country, and they have the same protections under the law everywhere in the EU.
Personal data is defined as any information related to a natural person, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Consequences of GDPR violations will vary depending on the size of the organisation whether the error was the fault of the processor or the controller, and whether the breach was the result of negligence or intentional.
Penalties for breach of the GDPR can be extreme, anything from to 4% of an organisation’s annual global turnover to €20 million. There is a tiered approach to violations, and fines can be incurred from failure to report data breaches, to conduct appropriate impact assessments, to have records in order or to have a lack of customer consent to process data.
It is vital that organisations of all sizes are prepared prior to the enforcement date of the 25th of May 2018, to avoid serious penalties.
The Data protection commission in Ireland list 12 steps that organisations can take to prepare themselves for the new regulation
Awareness – identify problem areas by carrying out risk assessments
Accountability – identify personal data stored, why it is stored, is it necessary and safe
Communication – ensure staff and users are aware
Privacy Rights – procedures for data deletion and portability
Timescales – requests must be processed within one month
Legalities – does your business meet the legal requirements of the act
Customer Consent – how is consent obtained and recorded
Child Data – age verification systems, guardian consent
Data Protection Impact Assessments – consideration in all future projects
Reporting – ensuring procedures to detect, report and investigate any data breach
Data Protection Officers – designation of a reliable knowledge support officer
Cross border processing – identification of lead organisation
These are just some condensed points to illustrate the areas organisations need to be aware of in preparation for GDPR, more information can be accessed by the clicking here
If you are concerned your business is not GDPR ready
with our expert consultants at Solveit for advice on how your business can adopt procedures to ensure compliance.