GDPR- Everything you need to know about the new general data protection regulations

GDPR looks to bring together several existing laws and regulations to harmonize rulings across the EU.

The General Data Protection Regulation, or GDPR, (or EU Regulation 2016/679) is one of the most significant and wide-ranging pieces of legislation passed relating to technology and the internet.

The legislation will affect all domestic and international businesses operating in the EU – regardless of size. There are not just IT requirements – the impact will be felt across any organisation, from sales to marketing to HR.

What is GDPR?

General Data Protection Regulation (‘GDPR’) will apply in the UK, profoundly altering the way in which companies collect, store, process and protect the personal information of customers, clients and employees insights and reports on GDPR’s impact warn for the burden it brings to operations.

Approved by the European Union in April 2016 and has come into force in the UK on May 25, GDPR looks to bring together several existing laws and regulations to harmonize rulings across the EU.

Primarily, it replaces the UK’s 1984 Data Protection Act and the EU’s Data Protection Directive, which initially came into force in 1995, with new guidelines that are better suited to the modern, technology-dominated world.

What are the GDPR Principles

Under the GDPR, there are data protection principles relating to the processing of personal data – and these are the main responsibilities for organisations:

• Principal 1: ‘lawfulness, fairness and transparency’ – personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Principal 2: ‘purpose limitation’ – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is different to the original purposes.
• Principal 3: ‘data minimisation’ – personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Principal 4: ‘accuracy’ – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
• Principle 5: ‘storage limitation’ – personal data can only be kept in a form which allows the identification of data subjects for no longer than is necessary.
• Principle 6: ‘integrity and confidentiality’ – personal data must be processed in a manner that ensures proper security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using proper technical or organisational measures.
• Principle 7: ‘accountability’ – a controller shall be responsible for, and be able to prove compliance with the GDPR data protection principles.

Accountability’ is the keyword. Under the accountability principle, data controllers will be needed to implement proper organisational and technical measures to ensure that data processing is performed in accordance with the GDPR. This would include any ongoing reviews and updates to those measures.

All companies which handle personal data of EU citizens must comply with the GDPR. This will include both companies with presence in an EU country as well as companies with no presence in the EU, but process personal data of EU citizens.

What are the challenges to becoming GDPR compliant?

Within organisations, data controllers are probably wondering what measures they need to implement to be compliant with the GDPR principles. The GDPR gives very little guidance on how to implement appropriate measures as well as how to demonstrate compliance to the legislation. The UK GDPR Supervisory Authority is the Information Commissioner’s Office (“ICO”).  Much of the current commentary has focused on the burden that the GDPR will have on businesses. However, there are a host of opportunities which the regulation will bring to all organisations.

Organisations must acknowledge that the GDPR means bigger fines for internal failings, but also the benefits of getting data protection right. If companies demonstrate that they respect and protect personal data, this could be perceived as a competitive advantage. Conversely, if organisations cannot demonstrate good data protection under GDPR, this could lead to reputational damage and big fines.

Which companies are affected by the GDPR?

All companies which handle personal data of EU citizens must comply with the GDPR. This will include both companies with presence in an EU country as well as companies with no presence in the EU, but process personal data of EU citizens.

The GDPR may see big fines

If organisations do not comply with the GDPR, the (ICO) can issue fines ranging from 4% of total worldwide annual turnover or €20 million, whichever is greater. Fines up to €10 million or 2% of total worldwide annual turnover can be applied for not putting in place adequate security or not reporting any breaches.

Organisations must acknowledge that the GDPR means bigger fines for internal failings, but also the benefits of getting data protection right. If companies demonstrate that they respect and protect personal data, this could be perceived as a competitive advantage. Conversely, if organisations cannot demonstrate good data protection under GDPR, this could lead to reputational damage and big fines.

Tags related

• GDPR