GDPR – The General Data Protection Regulation

Europe2What is GDPR?

The General Data Protection Regulation (GDPR) is an EU-wide regulation set to replace the Data Protection Directive on 25th May 2018. Its aim is to improve data protection for individuals within the EU and address issues concerning the export of data outside the EU.

The regulation is applicable across all EU states and to anyone processing personal data relating to EU residents. It contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors.

Data Controller = A person who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data Processor = In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Who Does GDPR Affect?

The GDPR affects any person or organisation involved in the handling or processing of personal data within the EU or relating to EU residents.

Personal Data = “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

What will be the impact of GDPR on Brexit?

None – The UK will still be in the EU when the GDPR comes into force on the 25th May 2018. Additionally, the UK government has announced its intention to adopt the new regulation after the country leaves the EU.

In short, you still need to prepare.

What would be the impact of not being ready for GDPR on 25th May?

For transgressions, there are severe financial sanctions along with the enormous reputational risk. Breaches of some provisions could lead to fines of up to €20 million or 4% of global annual turnover.

How can I prepare?

  1. Confirm if your organisation is subject to GDPR.
    1. Are you based in the EU?
    2. Do you process personal data?
    3. Or do you process personal data and the processing of it relates to data subjects in the EU?

If you answer yes to any of those questions, you will be bound by GDPR.

What should I do next?

  1. Assess your current data collection practices and policies:
    1. What do you collect?
    2. How is it used?
    3. Do you share it?
    4. Where does it sit?
    5. What security do you have in place?
    6. Who is responsible for what?
  2. Build your roadmap to GDPR readiness, determine which elements of GDPR are going to impact your current processes.
  3. Update your risk register. Ensure that your policies are active documents and that a culture of privacy is inbuilt within the organisation.
  4. Appoint a Data Protection Officer if needed.

An easy to follow 12 step guide to preparing for GDPR can be found on the Information Commission Office’s website.

How we can help

To learn more about how TFPL can help you to successfully navigate your GDPR compliance, take a look at the range of data and records management consultancy services we can provide.

Alternatively, please get in touch with our Managing Director, Chris Jones; 0207 378 7068 who would be happy to discuss your options.

TFPL Suehill
Sue Hill Recruitment and TFPL Limited are part of the Progility Group