Although the EU General Data Protection Regulation (GDPR) is not coming into force until May 2018, organisations need to act now to understand the changes that it will mean and be prepared to comply with the new rules.
1. What is it?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It is intended to harmonise data privacy laws across Europe. The GDPR protects and empowers individuals, providing them with more control over their personal data, commands transparency in how data is used and ensures data privacy is protected through security measures and controls.
2. When does it come into force?
The enforcement date for the GDPR is 25 May 2018. Organisations who fail to meet compliance will face heavy fines.
3. Who does the GDPR apply to?
The GDPR applies to all organisations who offer goods or services to or monitor the behaviour of EU subjects. This extends to all companies who process and hold the personal data of EU residents, regardless of the company’s location.
It applies to both data controllers, those who say how and why personal data is processed, and data processors, acting on the controller’s behalf.
The regulation is applicable to organisations of any size and from any industry.
4. What constitutes personal data?
Personal data is classified as any information related to an individual that can be used directly or indirectly to identify the person. This can include a person’s name, photo, email address, bank details, social media posts, medical information or a computer IP address.
5. Will Brexit mean this doesn’t apply to UK companies?
The UK government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR. Therefore, UK companies must still comply or they will be subject to the non-compliance penalties.
6. Does my organisation have to appoint a Data Protection Officer (DPO)?
A DPO must be appointed if you are a public authority, perform wide-scale systematic monitoring of individuals or process certain categories of data including data surrounding criminal convictions and offences.
The GDPR requires that a DPO has professional experience and knowledge of data protection law.
7. What are the penalties for non-compliance?
Organisations who are non-compliant with the GDPR face penalties of up to 4% of annual global turnover or €20 million, whichever is greater. Fines can also be imposed for the failure to notify about any data breach that occurs.
8. How can we get help preparing for the GDPR?
The May 2018 deadline for GDPR compliance is fast approaching. Given the tasks that many organisations are likely to face in order to reach compliance, there is no time to lose in getting started, to avoid the substantial fines for non-compliance.
Organisations who are bound by the GDPR legislation should engage a service provider who can help them meet their GDPR compliance requirements.
P2V Systems can help you prepare for GDPR compliance. Our GDPR consultancy service will perform a GDPR readiness audit and can provide a Data Protection Officer if applicable. Our technical support can then help ensure you have the data management solutions in place to achieve GDPR compliancy.