On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force – a game-changer for the way organisations store and manage personal data.
An EU directive securing the privacy rights of EU citizens, organisations in countries outside the EU will nevertheless have to meet the GDPR’s data management standards to be able to use data from customers residing in the EU, whether in the course of trading goods or services. This will include organisations in the UK after the country’s exit from the EU, and the UK has committed to fully enacting GDPR from May 2018.
What is GDPR?
The purpose of the regulation is to transfer control of personal data to the owner of the data – with data definition encompassing usernames, location information, online identifiers such as IP address, cookies, or passwords, for example – and GDPR extending the interpretation of sensitive personal data to include genetic and biometric identity.
GDPR: main points
- Organisations that regularly and systematically monitor EU citizens’ personal data or process sensitive personal data on a large scale, must appoint a Data Protection Officer (DPO).
- Breaches will need to be reported to an appointed authority within 72 hours of detection – in the UK, this will be the Information Commissioner’s Office (ICO) – and affected customers notified, along with details disclosing the nature of the breach and recommendations to mitigate potential problems.
- Organisations must implement technical and organisational measures to ensure that the management of data safeguards the rights of the owner, and commit to processing personal data only when necessary.
- Privacy Shield is a framework facilitating compliance with EU data protection requirements when transferring personal data from the EU to the United States. The framework replaces the Safe Harbor Agreement, and companies have been able to self-certify from 1 August 2016.
‘Data subject’ rights
GDPR provides EU citizens with control over their personal data through a set of ‘data subject’ rights, including the right to:
- Access readily-available information in plain language about how personal data is used, as well as access and receive a copy of their personal data.
- Have incorrect data corrected or deleted, and erased in certain circumstances (the ‘right to be forgotten’).
- Restrict or object to their data being processed, including for specific uses, such as for marketing or profiling.
Michael Frisby, Cobweb MD, says, “Organisations that breach the GDPR directive will face fines of up to 4% of annual global turnover or €20 million, whichever is greater. The consequences of non-compliance could, therefore, be financially devastating for a business – particularly for SMBs.
“The directive will mean significant change to the way organisations manage and process personal data, but there’s no need to panic! There’s still time to implement the necessary requirements.
“It is important, though, for those businesses that have not already done so, to begin planning for the changes now.
“We’ve created an eBook, GDPR: A Guide for Business, to provide a detailed look at the areas which need to be addressed, and we'll continue to post information and guidance over the coming months, as well as running webinars to help businesses meet the new requirements.”
Cybersecurity has always been a business priority; the impact of COVID-19 makes this more important than ever.Read More
As businesses begin to return to the office, we explore how you can stay secure in a post-COVID worldRead More