It’s been years in the making but the EU General Data Protection Regulation (GDPR) has finally been agreed. It’s a term you’ll see regularly in the run up to May 2018 when the regulation comes into effect.
But how much do you actually know about the GDPR?
We’ve put together some of the key facts to help you prepare for the most important change in data privacy regulation in 20 years.
The Road to GDPR
The regulation began with a proposal from the European Commission in January of 2012 but prior to that discussions, papers, directives and treaties paved the way.
So, while the road to regulation has been long, with little over a year until GDPR comes into force it’s full speed ahead to make sure we’re ready.
What is the GDPR?
The GDPR is a single set of rules that is intended to strengthen and unify data protection for individuals within the European Union. Currently, the handling of personal data in the UK is subject to the Data Protection Act 1998 (DPA); however, this was implemented before the expansion of the internet. There are more ways to exploit data now and the GDPR aims to address these.
The GDPR has also introduced stricter penalties for organisations who suffer breaches. Fines have increased dramatically from a £500,000 maximum fine under the DPA to an upper limit of €20 million or 4% of global annual turnover (whichever is higher) under the GDPR. Few companies could absorb this scale of penalties so the risk of non-compliance is clear.
Hold on, this is an EU regulation. Why should we bother about the GDPR now that Brexit is imminent?
The UK government supervisory authority – currently the Information Commissioners’ Office (ICO) – has insisted that GDPR will be implemented despite the UK exiting the European Union.
GDPR compliance is mandatory for any company dealing with personal data from the EU regardless of where that company trades from, so if the UK wants to do business in the EU we’ve got to comply.
What are the key GDPR requirements?
The key GDPR requirement is to protect the Personally Identifiable Info (PII) of EU subjects. This includes;
- Right to be forgotten
- Privacy of child data
- Right to opt in vs. opt out by data subjects
- Prompt, impartial dispute resolution
- Privacy by design
- Hefty penalties for data breaches
- Establishment of evidence-based security control systems
- Data transparency – easy access to personal data
- Explicit consent from data subject before data is processed
- Easy portability of data at request of data subject
- Establishing lawful grounds for data capture and processing
- Establishing Local Supervisory Authority at state level
- Establishing role of Data Protection Officer at company level or group level
- Data Controller and Data Processor liable for data breaches
- Mandatory data breach disclosure time
When we are expected to be compliant?
The regulation comes into effect on the 25th May 2018. It’s a narrow timescale but there is still time to become compliant.
Starting with discovery/scoping activities and a gap assessment you can identify the areas where you fail to comply with the regulations. Then it’s time to take action with a remediation plan.
We can help you become compliant
If you don’t have the time or manpower to take action, if you’re unsure of what you need to do or you simply want someone to take control and prepare you for the GDPR, we have the expertise to get you ready. Contact us to discuss how we can help you become compliant.