From May 25, 2018, the new EU General Data Protection Regulation (GDPR) will come into force. It brings with it stark changes compared to the previously applicable Data Protection Directive, meaning changes to the very infrastructure of every business.
Organisations need to be aware of these changes as non-compliance can incur some hefty fines and penalties.
The new legislation will affect all organisations that process and store the personal data of EU citizens. It is applicable to organisations outside the EU so long as they are dealing with its citizens’ data storage – removing the question of Brexit, as it will still be applicable in the UK if your organisation deals with wider EU personal data.
At its heart, GDPR is a regulation which is intended to strengthen data protection for individual citizens of the EU. An important part of this is a closer monitoring of how and why personal data may be exported outside of the EU. Primarily, GDPR aims to give back citizens control of their data, whilst also making it simpler for organisations to understand the regulations and ensure non-compliance is avoided. It seeks to make it easier for international business to navigate the issue, also, by creating a unified front within the EU itself.
Penalties for non-compliance to GDPR are significantly harsher than those under the Data Protection Directive, so it pays to keep up to date with regulations and remain compliant. Organisations that are not compliant could face fines of up to 4% of annual global turnover or €20 million, depending on which is greater in accordance with your organisation. On this scale, fines are very serious. Compliance, then, is the best way to protect your business from such a financial cut.
The most important regulations that GDPR enforces and which you need to consider in your compliance includes:
- Jurisdiction – The EU will not be the only jurisdiction of these regulations, any business processing the personal data of EU citizens (regardless of the physical location of the business) will need to prove compliance to GDPR.
- Security Breach Notification – Organisations must provide notification to authorities within 72 hours if a security breach is detected.
- Right to Access – Individuals may request access to their personal data and companies must be able to provide electronic copies of said data at any point. They must also be able to tell individuals where their data is stored and to what purpose.
- Consent – To store and use an individual’s data, consent must be obtained.
- Privacy – Companies must prove that they have built-in security for their data storage and the processes they use to analyse it. For the first time, this is a legal requirement under GDPR.
- DPO – Data Protection Officers must be appointed in organisations dealing with EU citizens data, whether they be a contractor or a permanent member of staff.
- Portability – All data must be accessible in a commonly used and readable format, as individuals will have the right to move their data from one controller to another as they wish.
- Right to Delete – EU citizens have the right to request their data is deleted and sharing with third-party organisations is ceased.
To find out more about how you can comply with GDPR requirements leading up to 2018, don’t hesitate to get in touch.