All organisations dealing with any data belonging to EU citizens need to be aware of the General Data Protection Regulation which impacts how data is collected and processed. The GDPR will apply in the UK from 25 May 2018. And it will come into force despite the Brexit vote since Article 50 has not been triggered and even once it is, there will be a 2 year transition. However even when the UK does leave the EU, if your business has European customers you need to be ready for GDPR.
Does GDPR apply to my organisation?
GDPR applies to ‘controllers’ and ‘processors’ of data. The data controller sets how and why personal data is processed, and the processor actually processes the data on the controller’s behalf. This means any business, charity or public body could be a controller. And processor could be a software company doing the actual data processing.
As a controller, it is your responsibility to ensure that your processor abides by GDPR. However GDPR places more rules on processors around the recording of their processing activities. They are far more liable under GDPR than they are now.
GDPR also has extended the definition of ‘personal’ data to include new online sources such as an IP address as well as traditional manual records.
Why has the EU created the GDPR?
The EU wants to create consistency across member states in order to make data protection clearer and simpler for businesses operating within the single market. The EU is also seeking to strengthen individual rights under existing legislation which came into force in 1995 before the internet and cloud created new ways of transferring personal data.
How GDPR is different to the Data Protection Act
The ICO (Information Commissioner’s Office) provides a detailed breakdown of lawful data processing under GDPR. The main areas to check are:
- Consent – requires some form of clear affirmative action and must be verifiable (how and when given)
- Access – individuals have the right to request their data and information relating to processing
- Erasure – the right to be deleted when data is no longer needed
- Automation – ensure individuals can obtain human intervention and an explanation of the decision
- Children – GDPR sets out new rules around the protection of children’s personal data
Non-compliance of GDPR
You could be issued with a penalty of up to 20 million euros or 4% of your global annual turnover, whichever is greater. There are also separate rules around compliance in the event of a data breach. Failure to notify your relevant supervisory authority can result in a fine up to 10 million euros or 2%of your global turnover.
Read our next article: Five top tips on getting your systems GDPR compliance-ready.