The new General Data Protection Regulation (GDPR) comes into force in May 2018.
The new regulations, relating to personally identifiable data of EU citizens, are intended to update existing data protection laws. The world has changed significantly since the Data Protection Act was introduced in 1998. Social media and smartphones were the stuff of science fiction, and Google and Amazon were start-ups. The GDPR aims to bring data protection in line with contemporary technologies and “make Europe fit for the digital age.”
What are the aims of the GDPR?
- Change the focus of data protection law to a culture of privacy that requires organisations to understand and mitigate the risks to personal data
- Provide additional protection for EU citizens by expanding existing rights and creating new ones, including the right to be forgotten and data portability
- That personal data is held securely and processed fairly, lawfully, and transparently
- Accountability; organisations must demonstrate their compliance with the regulations
- To drive better governance, such as privacy impact assessments and privacy by design
Does this really apply to me and my company?
Yes, if you handle or store personally identifiable data of any EU Citizens. This applies to Data Controllers (who determine the purposes, conditions and means of the processing of personal data) and Data Processors (who process data on behalf of the controller). Personally identifiable data includes employees and B2B prospects/customers so don’t assume you are immune from the GDPR if you don’t sell to the public.
Do Data Processors and Data Controllers have the same obligations?
Data Processors share the same obligations as Data Controllers, but face additional duties and liability for non-compliance, or acting outside of instructions provided by the controller. Data Processor duties include:
- Processing data only as instructed
- Using appropriate technical and organisational measures to process personal data
- Deleting or returning data to the controller
- Securing permission to engage other processors
What is personally identifiable data?
Personally identifiable data includes information such as:
- Email address
- Social media posts
- Physical, physiological or genetic information
- Medical information
- Bank details
- IP address
- Cultural identity
Does Brexit mean that this doesn’t apply to UK companies?
No. The regulations apply to personally identifiable data belonging to EU citizens, regardless of where the company processing or controlling the data is located. Furthermore, the regulations come into force on 25th May 2018 when the UK is likely to still be a member of the EU. Government announcements suggest that the UK will adopt EU regulations as part of domestic legislation.
I’ll just pay the fine
This is an approach that has been adopted by many businesses with respect to similar regulations and compliance regimes. Unless the regulations or their enforcement changes from the current proposals, the fines will be significant – up to 4% of global turnover or €20 million (£16.9m), whichever is higher. The fines are intentionally high to discourage companies from taking this approach.
I’ll just get the lawyers to look at this
Some of the current risks that a company faces, especially with respect to their supply chain, can be mitigated by contractual amendments. IT Lab believe, however, that a large part of the work required to understand the risks is related to process and data architecture mapping and technology controls and procedures. Many of the risks can also be mitigated by adapting IT architecture and solutions.
It is important that companies understand the risks to their data and how to minimise them. With our experience in data and process mapping, business systems, technology infrastructure and cyber security, IT Lab is well placed to support this process.
IT Lab has created a GDPR Audit Guide designed to help you assess the impact of the new laws and plan for compliance and ongoing management.
To request an GDPR audit tailor-made for your organisation please contact us contact us today.