What is GDPR?
The General Data Protection Regulation (GDPR) is a new set of rules coming into force May 25th 2018 that governs how businesses collect, use, and share data from European citizens. It states that companies- EU-based or otherwise – must build data protection into their system design and infrastructure, or risk severe penalties.
What are the key elements of GDPR?
What is a Data Protection Officer?
Data Protection Officers (DPO’s) will be at the heart of this new data legal framework for many organisations, facilitating compliance with the provisions of the GDPR. Data protection officers are a designated person within an organisation that collects the personal data of Union citizens who is responsible for making sure that the organisation follows the new regulations.
What are the fines?
There will be a substantial increase in fines for organisations that do not comply with the new regulation.
Regulators (in UK in ICO) will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity's global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations. However, violations of obligations related to legal justification for processing (including consent…), data subject rights, and cross-border data transfers may result in penalties of the greater of €20 million or 4% of the entity's global gross revenue.
Will Brexit affect GDPR in the UK?
For the near future, the UK will continue to be subject to the same data protection regime as the rest of the EU. It may even be longer, depending on how long exit negotiations take. It’s also important to remember that the GDPR will still apply to every business that offers goods and services to EU citizens or that monitors EU citizens’ behaviour, regardless of whether it sits within the EU or not. Organisations still need to focus on getting their GDPR preparations underway - ASAP.
What information does the GDPR apply to?
1. Personal Data - Like the Data Protection Act 1998, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
2. Sensitive Data - The GDPR refers to sensitive personal data as “special categories of personal data” . These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic and biometric data, where processed to uniquely identify an individual.
What are the new individuals' rights?
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act 1998. The GDPR provides the following rights for individuals:
What do you need to do NOW?
So where do you start?
Digital Business Partners is an ICO registered data controller (Registration Number: ZA229204) and we can support your business getting started with GDPR. We are available to assist you with initial readiness assessments, gap analyses and data protection audits.
Ivan Fernandes, Founder and Managing Director at Digital Business Partners