The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years – we’re here to make sure you’re prepared. We assist organisations prepare themselves for GDPR compliance by supporting them through a number of activities which will align them to the requirements of this new legislation. Should you be interested, just firstname.lastname@example.org
What GDPR is
The GDPR is Europe’s new framework for data protection laws. It replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
When it will come into effect
The GDPR was approved and adopted by the European Parliament on 14 April 2016. This creates a new regulatory framework unifying data protection laws across the EU member states. The regulation will take effect after a two-year transition period and will be in force 25 May 2018.
Who it applies to
The GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of their physical presence in the country.
What organisations have to do to be compliant
Organisations must do the following things to be in line with GDPR:
- You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have;
- You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit;
- You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation;
- You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format;
- You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information;
- You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it;
- You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard;
- You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity;
- You should make sure you have the right procedures in place to detect, report and investigate a personal data breach;
- You should familiarise yourself now with the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation;
- You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer;
- You should determine your lead data protection supervisory authority if your organisation operates in more than one EU member state.
Read more: 12 step plan to prepare you for GDPR
Under GDPR, organisations in breach of GDPR can be fined to 4% of annual global turnover or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
Sources: https://www.eugdpr.org and https://ico.org.uk