GDPR General Data Protection Regulation

GDPR – GENERAL DATA PROTECTION REGULATION - a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). This new regulation is due to become law by May 2018, and for some companies and organisations the process could be a lengthy one.

The fact is that if your business or organisation holds personal data then this new regulation will affect you. However it seems that not all businesses are ready or are indeed taking the necessary steps to become compliant within GDPR time frame.

FACTS

  • 80 -90% of companies are still not sufficiently prepared to reach GDPR compliance by May 2018
  • Less than 1 in 3 companies feel prepared for GDPR
  • 97% of companies, don’t feel they have a plan
  • GDPR replaces the Data Protection Act 1988
  • GDPR 10 reasons to prepare your organisation
  • GDPR applies to all, regardless of where your organisation is based, if you hold or process personal data on European (EU) citizens you will need to comply.
  • GDPR widens the definition of personal data, it is now defined as any data that can be used to identify and individual.
  • GDPR tightens the rules for an organisation obtaining consent to use personal data. As an organisation you must be able to prove CLEAR and DEFINED consent to manage that data.
  • GDPR makes the appointment of a DPO (Data Protection Officer) mandatory for certain organisations; this could include public authorities or where the core activities of the organisation consist of processing regular and systematic monitoring of individuals on a large scale.
  • GDPR introduces mandatory Privacy Impact Agreements (PIAs), data controllers will be required to conduct PIAs where privacy breach risks are high to minimise risks to the data subjects.
  • GDPR introduces common data breach notification, aimed at ensuring that organisations constantly monitor for breaches of personal data. Any breach must be notified within 72 hours.
  • GDPR introduces the right to be forgotten; new data handling principles can now be enforced. Data cannot be held longer than is necessary, the use of the data cannot be changed, therefore organisations cannot use the data gathered for one purpose to be used for another different purpose. Data MUST be deleted should the person to who it belongs wish it to be so, this very much emphasis the fact that the data belongs to the person NOT the organisation.
  • GDPR extends liability beyond that of data controllers, liability will now be extended to ALL companies and organisations that touch personal data.
  • GDPR insists requires that ‘privacy is by design’, meaning that ALL systems and processes MUST be designed with privacy built in. Software, systems and processes must show compliance, and ALL software will be required to be capable of completely erasing data.
  • GDPR will allow any European data protection authority to take action against organisations regardless of where in the world they are. Should companies and organisations fail to comply the fines will be significant, upwards of 20 million Euros or 4% of turnover, whichever is the greater.

In conclusion:

GDPR is designed to allow the European citizen to take back control of their data and should they wish it offers them the ability to remain anonymous. 

Should you need help in with compliance and understanding the your responsibilities simply email team@privacytrust.com.