An introduction to GDPR
Although the EU General Data Protection Regulation (GDPR) is not coming into force until May next year, organisations need to act now to understand the changes it will bring and prepare to comply with the new rules.
What is GDPR?
Introduced to keep pace with the modern digital landscape, the GDPR is a significant development in data protection law. It will replace current EU legislation including the Data Protection Directive 95/46/EC and the UK’s own Data Protection Act (DPA).
When does it come into effect?
The new rules will be enforced from 25th May 2018.
Who does GDPR apply to?
Any organisation which processes and holds the personal data of data subjects residing in the EU will be obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states.
What about Brexit?
This doesn’t affect GDPR. The Government has confirmed that post-Brexit, the regulations will still apply.
What are the main responsibilities under GDPR?
If your organisation handles personal data, the Information Commissioner’s Office (ICO) states: “You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
“Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What specific measures does the GDPR require to protect personal data?
Article 32 of the GDPR requires organisations to deploy technical measures to ensure data security. The necessary technical measures and practices will vary, depending on the degree of risk that is present. Organisations are required to evaluate the risks that the personal data they process is subject to – the higher the risk the data faces, the greater the measures that must be taken to secure the data.
Do you have to appoint a Data Protection Officer?
Not necessarily. The ICO advises that under the GDPR, you must appoint a Data Protection Officer (DPO) if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Undertake large scale systematic monitoring of individuals;
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
What will the penalties be for failing to comply with GDPR?
The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.
Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.
Over the coming weeks and months, we’ll provide further information on GDPR, highlighting products and solutions to help with compliance. Got a question? Contact us on 0845 606 1000 or email firstname.lastname@example.org.