On the 25th May 2018 the European General Data Protection Regulation (GDPR) will come into force. There will be no grace periods and all organisations are expected to comply with this Regulation on this date.
Unlike current data protection legislation enforced nationally, it will be enforced invariably across each EU member state bringing a uniform approach to data protection throughout the EU. But it will also apply to any company offering goods or services or marketing to EU citizens. This will demand a change in the way businesses approach privacy.
Beyond reinforcing the data protection rights of individuals and simplifying the free flow of personal data in the EU one of the most significant changes is around the whole area of accountability.
GDPR creates a responsibility on companies to understand the risks that they create for others, and to mitigate those risks. It’s about building a culture of privacy that permeates your entire business.
Thus, this new regulation will make penalties for non-compliance/breaches tougher – between 2% and 4% of annual Worldwide turnover or €20 million, whichever is greater. There’s also the possibility of being sued by the individual in question for material or non-material damages.
The GDPR builds on previous data protection legislation, providing more protection for consumers and more privacy consideration for organisations.
What is GDPR and will it apply to me?
According to the EU 2016/679 (General Data Protection Regulation) Art.1
1) It aims to regulate the protection of natural persons with regards to the processing and portability of personal data.
2) It strives to protect the fundamental rights and freedoms of natural persons particularly regarding the protection of their personal data.
3) Regulate cooperation between EU member states regarding the exchange of personal data.
Ultimately it is a broad, complex piece of legislation. It advances into many new areas and affords individuals new rights, giving them more control over their data and how it is used. They can request that personal data be deleted or removed, data portability is also a new right, data breaches that pose a risk to individuals will need to be reported to the office of the data protection commissioner and in some cases to the individuals affected by the breach. Consent will need to be freely given, specific, informed and unambiguous and companies will need to provide evidence that they have consent, if they rely on it for processing data. A pre-ticked box will not be valid consent. And the list goes on.
Quite simply, any company, whether big or small will need to embrace and strive for compliance with the new regulation regarding the secure collection, storage and usage of personal data.
How can you start the journey towards compliance?
As the 25th May looms, accountability and transparency across your business functions are vital ingredients for the successful implementation of GDPR.
A key foundation towards GDPR readiness is to obtain buy-in from senior management to create the culture and organisational changes required. It is also important that you assign responsibility and budget for GDPR compliance as a first step.
Then it’s down to understanding information governance throughout your organisation. You can do this by mapping data flows and conducting a gap analysis. You must be able to clearly assess the risk associated with various forms of data and then mitigate for those risks. Some sample questions to consider:
- What personal data do you hold?
- Which of the six specified legal grounds do you rely on for processing personal data? For example, Consent, legitimate business reasons, performance of contract.
- How is it processed?
- Where is it stored?
- Do you share any personal data with a third party?
- Is it secure (Encrypted)?
- Is it readily accessible?
- Who can access it?
- Is it stored according to statutory and non-statutory retention periods?
- Do you have consent?
- What if you have a data breach?
- Do you have a GDPR compliant Data Protection Policy?
- Are your employees aware of and trained to support your compliance with GDPR?
These sample questions are the just the tip of the iceberg on your path towards compliance. Now is the time to prepare or prepare to fail.
For further information on how Atlantic Compliance can help you, please click here