What is it?
The General Data Protection Regulation (GDPR) is an EU-wide regulation set to replace the Data Protection Directive on 25th May 2018. Its aim is to improve data protection for individuals within the EU and address issues concerning the export of data outside the EU.
GDPR is applicable across all EU states and to anyone processing personal data relating to EU residents. It contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors.
Data Controller = A person who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor = In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Who does it affect?
The GDPR affects any person or organisation involved in the handling or processing of personal data within the EU or relating to EU residents.
Personal Data = “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
What will be the impact of Brexit on the UK’s adoption of the GDPR?
None – The UK will still be in the EU when the GDPR comes into force on the 25th May 2018. Additionally, the UK government has announced its intention to adopt the GDPR after the country leaves the EU.
In short, you still need to prepare.
What would be the impact of not being GDPR ready?
For transgressions, there are severe financial sanctions along with the enormous reputational risk. Breaches of some provisions could lead to fines of up to €20 million or 4% of global annual turnover.
How can I prepare?
- Confirm if your organisation is subject to GDPR.
Are you based in the EU? Do you process personal data? Or do you process personal data and the processing of it relates to data subjects in the EU.
If you answer yes to any of those questions, you are bound by GDPR.
- Assess your current data collection practices and policies – what do you collect? How is it used? Do you share it? Where does it sit? What security do you have in place? Who is responsible for what?
- Build your roadmap to GDPR readiness, determine which elements of GDPR are going to impact your current processes. Update your risk register. Ensure that your policies are active documents and that a culture of privacy is inbuilt within the organisation.
- Appoint a Data Protection Officer if needed.
An easy to follow guide can be found on the Information Commission Office’s website – 12 steps to preparing for GDPR