GDPR is big news in 2018. Dubbed as ‘The strictest data rules in the world’ it’s going to impact every business regardless of size, sector or turnover, it’s something we all need to be thinking about now before the 25th May 2018 deadline comes into play.

So, What is GDPR?

GDPR stands for General Data Protection Regulation. After four years in the making it was approved by the EU Parliament in April 2016. The enforcement date is 25th May 2018.

GDPR was brought into to replace the Data Protection Directive which has been around since the 90’s. Big Data, Digital tools and technology have changed massively in the last 20+ years so GDPR has come in to ‘harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy’ (EUGDPR.org)

Who does it affect?

GDPR is going to affect everyone that collects, stores, analyses and processes data.

The biggest change within GDPR is how companies process data. Regardless of where your organisation is based, if your customers are based or reside in the EU, GDPR covers their rights, regardless if the organisation sits in the EU or not. The legislation goes as far as any non-EU business that processes the data of EU citizens will also have to appoint a representative in the EU.

What does it mean for me?

Key things to know about GDPR:

Penalties – under GDPR rules, any organisation can be fined up to £20 million or 4% of annual global turnover (whichever is greater) This is for the most serious infringements, like not having customer consent to process data or violating privacy by design concepts. Penalties are tiered so a company can be fined 2% for not having their records in order  or not notify supervising authority and dat subjects about a breach.

No one is exempt – Rules apply to Data Controllers and Data Processors so this will impact every level, sector and size of organisation across the EU. This means that controllers are liable for their GDPR compliance, and can only appoint processors who provide ‘sufficient guarantees’  – this means that processors will have to guarantee that rights of citizens will be protected. It hasn’t yet been made clear whether there will be a certification requires or a code of conduct to be followed.

In turn, processors can only act on ‘documented’ instructions of a controller, again it has been left up in the air what the definition of ‘documented’ means, but we do know that Processors can be subject to fines and other sanctions if they don’t comply.

Consent – Soon to be gone are the days where companies can use long and illegible terms and conditions. Requests for consent have to be given in an easily accessible form. Companies must use clear and plain language and *importantly* it’s got to be as easy to withdraw consent as it is to give it.

Data Protection Officers

Under new GDPR legislation, Data protection Officers (DPO) will only need to be appointed for controllers and processors whose ‘Core activity consist of processing operations which require regular and systematic monitoring of data subjects on  large scales or of special categories of data, or data relating to criminal convictions and offences.’ (IPO) IF a a DPO is requires, there are also further rules; reporting only to the highest level of management, must be provided with appropriate resources and contact details must be provided to the relevant DPA.

What you should be doing

Now is the time to be getting organised. Start reviewing your current data.

  • Where are you storing data?
  • How are you processing data?
  • How easy can consent be withdrawn?
  • Do you need external support?
  • Are you in a position to Audit your data?

Over the next few weeks we’re going to be adding more videos, blogs and links to help you get ready for GDPR. Looking at processing your data lawfully, auditing your data, how to deal with subject data requests and how to communicate your privacy notices.

We’ll be sharing our experiences from both the public and private sector organisations we work in and how you can make it work for your organisation too.

Tools to help

Here’s a starting point for some great tools:

EU GDPR – https://www.eugdpr.org/

ICO – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Plain Language UK – http://www.plainenglish.co.uk/

 

Get in touch and let us know your thoughts: http://www.madebyhalo.com/get-in-touch