General Data Protection Regulation (GDPR)
What is it?
Essentially the legislation aims to protect the rights of European citizens to determine whether, when, how and to whom their personal information is issued – and how it can be used.
The EU General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive and comes into effect on 25 May 2018. It sets out a number of principles which are broadly similar to those already in the UK’s Data Protection Act. However, one key difference is that the GDPR applies to all companies processing and holding the personal data of people residing in the European Union – regardless of the company’s location. Consistency is a driving factor behind the regulation.
From 25 May 2018, all organisations that process the data of EU residents (personally identifiable data) will be required to abide by a number of requirements – or face significant penalties (e.g. fines of up to 4% of annual global turnover or €20 million – whichever is the greater).
Key requirements include:
- The collection and processing of personal data
- The rights of people
- Data protection impact assessments
- The role of the data protection officer and whether you need one
- Data breaches – when and who to notify (72 hour rule)
- Obligations for international data transfers.
How does it affect Organisations?
Data “controllers” (CIOs, CTOs etc.) within organisations need to be aware of all personal data under their control and be able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks. All within the next two years.
The advice of the Information Commissioners Office is that businesses need to start planning their approach to GDPR compliance as early as they can.
Numerous sources have discussed that the Brexit vote will have some impact on how all this works in the UK. However, the fact that GDPR applies to all companies holding data on EU citizens means that many UK businesses that trade with Europe will still need to comply with its rules even after Britain leaves the EU.
What are the key dates?
No milestone dates have been announced, however, numerous sources talk about the steps organisations can take now to prepare.
For a full timeline of the regulatory updates concerning privacy and security, click here.