It’s getting closer: GDPR and the 5 things you need to know
1. What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation that intends to strengthen and unify data protection for all individuals within the European Union. It replaces the previous Data Protection Directives and adds new responsibilities/roles for data controllers and processors, leaving you and your business at risk of breaching these new regulations.
2. Who is affected?
Contrary to the consensus that GDPR is only applicable to companies located in the EU, it has the potential to affect many organizations due to the requirements of protecting, storing, and processing customers' personal data - regardless of location.
If your company is processing data about individuals in the context of selling goods or services to citizens in EU countries, then it will need to comply with GDPR requirements.
3. What should I do with the personal data I process?
If your organisation does not comply with the below, make a plan now to change it before May 2018.
According to GDPR, personal data must be:
- Processed transparently and lawfully
- Collected for legitimate purposes
- Relevant, pertinent and necessary
- Up-to-date and accurate
- Stored only if necessary
- Secure and confidential
4. What if you’re not compliant?
There are two kinds of penalties that can be enforced if you’re not GDPR-compliant:
Administrative Fines: They are discretionary rather than mandatory, they will be imposed on a case-by-case basis and will be “effective, proportionate and dissuasive”.
There are two tiers of administrative fines that can be levied:
- Up to €10 million, or 2% annual global turnover – whichever is higher
- Up to €20 million, or 4% annual global turnover – whichever is higher
These fines are based on the specific articles of GDPR that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level, making the regulation of your individual data records extremely important.
Liability for damages: The GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR. In certain cases, not-for-profit bodies can bring representative action on behalf of individuals. This opens the door for mass claims in cases of large-scale infringements.
5. What can you do now to make this easier for your business before May?
Partner with an expert provider who can help you achieve GDPR compliance via a number of tools and processes that will guarantee success and an easier route to compliance. These include, but are not limited to:
- Devising IT architecture for managing and securing data used in transactions with suppliers/partners/ customers
- Discovery services to establish where your data resides and what you need to do to safeguard it
- Creating an easily accessible data audit trail and implementing new records management and data management practices
- Embedding security and compliance into the heart of your business through training and change management programmes
- Building transparency into the business to show how data is collected, processed and shared
- Defining processes and procedures in the event of a data breach
- Reporting and benchmarking your ongoing data management practices
Ergo has the expertise, knowledge and capability to face these issues head on with you and to help you explore the data in your organisation and identify where the pain points lie. Our rigorous processes and systems (as mentioned above) can show the relief a provider like us can give to a company who are trying to ensure they aren’t caught out by the time May rolls around. Don’t wait for a problem to appear, combat it now and save yourself the a lot of hassle in case a GDPR regulator comes across your doorstep.