What Is GDPR?
What Is GDPR?
Following my earlier blogs with considerations on GDPR the questions l have been asked by many is what is this GDPR all about.
GDPR is the General Data Protection Regulation. It is a new piece of European legislation that was finally adopted on 27th April 2017 after several false starts. It will come into force on 25th May 2018 across Europe, and it will apply not only to any organisation situated in the EU, but also to any organisation/business that processes the personal data of EU citizens regardless of where they are situated.
Where existing laws only apply to data controllers (the owners of the data), GDPR also applies to organisations that process data on behalf of data controllers.
What about Brexit?
GDPR will apply in the UK regardless of Brexit. In the Queen’s Speech recently her majesty said:
A new law will ensure that the United Kingdom retains its world-class regime protecting personal data…
So, what is GDPR ?
GDPR takes many of the concepts under existing privacy laws and enhances and extends them. Existing data subject rights, such as the right to receive a copy of the data and the right to rectification are extended for example with shorter time limits for compliance.
There are also a set of new data subject rights such as the right to erasure (not quite as broad as the much-discussed right to be forgotten), and data portability.
Other big changes include a right to self-report any breaches, special rules for processing children’s data, new categories of sensitive data and the requirement to give specific information to individual data subjects about what will happen to their data.
The cost of non-compliance
The supervisory authorities have powers under GDPR to order organisations to pay compensation to data subjects.
They also have the power to administer substantial fines against both data controllers and data processors. The numbers are high (maximum being the higher of 4% of global turnover or €20m) and so have grabbed attention. However, whilst the size of fines is intended to be “dissuasive” the authorities are also required to take into account the behaviour of the organisation and to fine accordingly. Therefore l would recommend you and your organisation/business take reasonable steps to have the correct processes in place.
Therefore it is right and proper that our reaction to the legislation should be to take a broad risk-management approach and to invest in our security.
The cost of compliance
As you start looking into GDPR you will find that it will impact more of your organisation than you originally thought . It will also take you longer to get compliant than you can imagine. This article will undoubtedly raise more questions than it has answered, but what is clear is that you will have to make investments in your security systems and processes and it is key to ensure that these investments are made in the right areas.