What is GDPR?

GDPR is a new EU wide law that give citizens clear control over how and where their data is used and stored. It creates a uniformity of rules and enables stronger enforcement.

When will GDPR go live?

GDPR is entered into law for all EU states on 25 May, 2018. We are currently in a two year transition period where companies are expected to prepare their compliance with GDPR.

Why should businesses worldwide care about GDPR?

Although this law comes from the EU, its impact is global. Any business holding personal data on EU based customers, prospects or employees need to be preparing for the change now. If businesses ignore this law, they can be fined up to €20m or 4% of their global annual turnover. Data protection is more than a compliance problem. People care about their privacy and rightly expect businesses to respect their privacy. It makes good business sense to clearly demonstrate that you understand both the cultural and financial issues.

What are the new rules?

The rules are complex, but try not to be overwhelmed by them. They key is to build data governance into your company culture. This will help you manage data more effectively and more securely both internally and externally.

The rules follow 6 strands: 
– Document your data map – What data do you have, and what do you do with it?
– Be structured in the way you manage the data you store
– Document who is responsible for protecting the data
– Encrypt all personal data in case it is accidentally disclosed
– Start by designing security awareness in your company culture
– Be prepared… even the best, most secure businesses can make mistakes

Our company is based outside the European Union. Do we need to comply?

Yes. GDPR is designed to protect and give certain rights to all 750 million European Citizens regardless of where their data is held or processed. If you offer your goods or services to any EU residents, then you must comply with GDPR.

Our company is U.K. based. Do we need to comply given the upcoming Brexit?

Yes for two reasons: The GDPR comes into effect before Brexit is completed. UK firms must comply with the GDPR until then. Even after Brexit concludes, UK firms that offer goods or services to EU residents still need to comply.

We do not charge for services we offer. Do we need to comply?

If you offer goods or services to EU residents then you must comply with GDPR whether payment is exchanged or not.

What is the impact on businesses?

The impact for businesses globally will undoubtedly be far reaching if they sell services or products to EU citizens. Businesses large and small across the globe will be required to transform their privacy policies, business structures and staff to ensure compliance. Data protection and security must be designed into the organisation’s culture. No longer can it be outsourced or pushed into a silo. Clearly your security and compliance teams need to be concerned with ensuring the details are right, but every other member of staff must be aware of the principles and ensure they are implemented throughout your business.

We process personal data manually rather than using automation. Do we need to comply?

If the manual data processing contributes toward a database, then yes, you must comply. If the processing is one-off and is not put in a structured and accessible database or filing system, then GDPR may not apply.

What happens if I fail to comply?

The fines are tiered and dependent on the criticality of the data and the nature and size of any breach. At the top end, if you are processing financial or criminal records, you could be fined up to €20mm or 4% of your worldwide turnover, whichever is greater. You may also be subject to lawsuits by affected data subjects.

What data is considered to be personal data and covered under GDPR?

GDPR includes data such as name, email, location, IP address, online behavior and any data that can directly or indirectly identify an individual as personal data.

How do I obtain consent?

Consent needs to be explicit, opt-in, and freely given. You can no longer assume opt-in and you cannot pre-fill the opt-in box on the consent form.

Does my firm need a Data Protection Officer (DPO)?

Probably not! You must appoint a DPO if you represent a public authority or an organisation that processes large scale monitoring data or processes sensitive personal data.

What does it mean for my customers?

While most people probably won’t aware of the changes brought about by GDPR, hopefully most will eventually notice the differences in how businesses communicate with them: Privacy notices will be more transparent, Consumer rights will be upheld and made public, News about data breaches will be more apparent and much more difficult for firms to cover up. It may appear that data is less secure under GDPR because news about breaches and firms failing to comply will increase. Hopefully they will be reassured by the sizeable fines for unprincipled and slipshod data management.

If your question is not answered here..

Contact Us