GDPR why should I care?
The General Data Protection Regulation (GDPR) is a regulation that intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR applies from 25 May 2018, it does not require any enabling legislation to be passed by national governments.
The bit to worry about, GDPR establishes a tiered approach to penalties for breaching the regulations. It enables fines for some infringements of up to 4% of annual worldwide turnover and EUR20 million (e.g. breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10 million.
So does it impact on me?
Expanded territorial reach – The GDPR applies to those inside the EU but catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if its for free) to, or monitoring the behaviour (within the EU) of, EU data subjects. Many will need to appoint a representative in the EU.
The UK’s Information Commissioners Office have produced a checklist that highlights 12 steps you can take now to prepare for GDPR (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf). It makes the following points:
- Awareness -You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold -You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information – You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights – You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests – You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Legal basis for processing personal data – You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- Consent – You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
- Children – You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity
- Data breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments – You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
- Data Protection Officers – You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
- International – If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
In summary – act now don’t wait until 25 May 2018!
Xanadata is a data analytics company, specialising in building systems that analyse data at extreme throughputs addressing markets such as cyber security, e-discovery and BI analytics. It develops and builds custom hardware and software to allow organisations to rapidly identify vulnerabilities, threats and risks caused by systems connecting to the Internet. Contact us to learn how our products and services can help you to solve how you can comply with the GDPR regulations, making sure you have the right procedures in place to detect, report and investigate a personal data breach.