The General Data Protection Regulation (GDPR) is the new legal framework that will regulate data protection and is aimed at improving and unifying the way personal data is currently protected within European Union countries. The regulation comes into effect on 25 May 2018.
The new legislation replaces the current European Data Protection Directive that dates back to 1995. This directive is seen as out dated as it was created at a time when the internet was in its infancy.
As the internet and technology evolved, so have the concerns about how private data is handled and particularly how data breaches should be handled. Recent high-profile cases in the media have shed new light on how data breaches can have wide-ranging effects not just on individuals but society at large.
This is particularly relevant in those cases where companies based outside EU countries handle personal data relating to EU citizens. For example, if a company based in the EU employs a third-party processor based outside the EU to handle data related to EU citizens, this means that they must ensure that company complies with the GDPR requirements for processors outside the EU.
Should they fail to comply, the EU-based company will not be in compliance and may therefore be subject to fines and legal action. At its worst, fines can go up to €20 million or 4% of global turnover, whichever is higher.
In the UK, the Information Commissioner’s Office has the power to impose fines along with a range of corrective powers and sanctions. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries.
If in doubt of whether GDPR is applicable to your company, as a rule of thumb, ask yourself if the data you’re processing is in any way personal data relating to or involving EU citizens. Here are five common questions about GDPR.
1.What is the purpose of GDPR?
One of the aims of the GDPR is that it creates one single standard for how data is stored, collected and transferred today. It also represents a step forward in terms of how data is handled and how issues like privacy and individual consent are managed.
2.What types of privacy data does the GDPR protect?
In a nutshell, the purpose of the new legislation is to protect the personal data and the privacy of EU citizens. Most importantly, GDPR also regulates the transfer of personal data outside the EU. Here is a short list of some of the data protected under the GDPR:
Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
3. Which companies have to comply with GDPR?
Any company that stores or processes personal information about individuals who are in EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
A presence in a EU country
No presence in the EU but the company offers goods or services to individuals in the EU or monitors their behaviour
4.Who within my company is responsible for compliance?
The GDPR defines several roles or positions that will be in charge of ensuring compliance. These are data controller, data processor and the data protection officer (DPO).
The data controller is in charge of how personal data is collected and the purposes for which it is processed; the controller is also responsible for making sure that outside contractors comply with the rules. Companies are required to have a DPO if they are a public body or if their core activities involve: (i) the regular and systematic monitoring of data subjects on a large scale; or (ii) the processing of special categories of personal data on a large scale.
5.Is the UK exempt from GDPR after it exits the EU?
The UK’s exit from the EU at the end of March 2019 will have no effect as any UK-based companies handling EU citizens’ data will have to be GDPR compliant by then. Furthermore, the UK’s future Data Protection Bill, once approved by Parliament, will take GDPR into account thus setting standards that can be higher than those defined by GDPR itself.
Find out more about how Sage is getting ready to be GDPR ready.
Visit here for more information.
1 – This list is by no means comprehensive.