The EU General Data Protection Regulation (GDPR) replacing the Data Protection Directive 95/46/EC brings wide spread changes to the legislation on personal data protection in Europe. Specialists say that we are witnessing a real revolution, considering how these changes will affect both small and large businesses in Europe and beyond.
GDPR is a general regulation on the protection of individuals with regard to the processing of personal data. There will be a single set of rules that will apply in all member states of the European Union. People will have additional control over their personal data, transparency on data usage will be ensured, and control measurements will be imposed to protect them.
The quick and simple answer is “Yes”. GDPR applies to all organisations of any size and scope. The law covers companies, government agencies, non-profit organisations and other organisations that provide goods and services to people in the European Union or that collect and analyse data related to EU residents.
More precisely, the regulation will be directly applicable to any company that:
The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998. 25th of May is not the day when organisations should start working on becoming compliant, but the day when organisations are obliged to be compliant.
Fines of up to €20 million or up to 4 per cent of total global revenue of the preceding year, whichever is greater.
It is very important to mention that the responsibility for non-compliance is shared between the company that controls the personal data and the company processing the personal data for the first one. For example, if your company collaborates with a supplier and you share personal data, you must ensure they are also GDPR compliant.
According to GDPR, individuals have the right to know if an organisation is processing their personal data and to understand the purposes of that processing.
Any person has the right to request the organisation to delete, correct or stop processing their data, to refuse direct marketing and to revoke consent for certain uses of their data.
The GDPR comprises a new right to data portability providing individuals with the right to move their data elsewhere and receive assistance in doing so. Therefore, data controllers must ensure that they can hand over the personal data that has been provided by the individual, in a structured, commonly used and transferable format.
GDPR requires organisations to secure personal data according to its sensitivity.
In the event of a security breach, the data controllers must notify the appropriate authorities within 72 hours. In addition, if the breach will lead to high risks for the rights of individuals, organisations will also have to notify without delay the affected people.
Processing personal data must be done on a legal basis.
Companies must be able to demonstrate that consent for processing personal data was given by the individual. The GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Organisations need to assess the impact on data protection in order to anticipate the impact of projects on privacy and take action as needed.
In order to demonstrate compliance with the GDPR, recordings of data processing and evidence of consent to data processing must be maintained.
In order to ensure compliance with GDPR, organisations are encouraged to implement a privacy culture in order to protect the rights and interests of individuals with regard to their personal data.
Failure to comply with GDPR may result in serious fines and business partners' refusal to collaborate with your organisation.
GDPR compliance is not a one-time step, it’s a continuous process of monitoring data processing and ensuring its security, but one of the first steps you might take is becoming Cyber Essentials certified.
The GDPR requires you to secure all the personal data that you are processing: employee data, customer data, partners’ data etc. By achieving the Cyber Essentials certification, in case of a data breach you will be able to prove that you have taken the measures to protect personal data by ensuring at least a basic level of network security.
Cyber Essentials (CE) is a government-backed cyber security certification scheme that can help any organisation prevent around 80% of cyber-attacks. Cyber Essentials not only helps your company to reduce the risk of cyber threats by up to 80%, but also to:
© Copyrights soVIsion IT 2016. All rights reserved.
soVision IT Ltd, Avon House, Avon Mill Lane, Keynsham, Bristol BS31 2UG. soVision IT Ltd is a Company registered in England No 10714018