As I’ve been networking over the past couple of weeks I’ve had numerous conversations with people asking me about GDPR. People have heard a number of rumours about it and over the next few blogs I intend to unpack some of the confusion.
So what is it?
GDPR stands for General Data Protection Regulation. A regulation is a number of specific requirements or enforcements, and, in this case, they are set out to protect an individuals data. Whilst is it an EU regulation, it is something that the UK will be adopting regardless of Brexit and so, for the purpose of this blog, any reference to EU citizens include the UK. The regulation comes in on 25 May 2018 by which point all companies need to be compliant.
Who does it affect?
The short answer is all companies, worldwide, that process personal data of any EU citizen.
This will harmonise data privacy laws across the EU and give an individual more control over what happens to their data.
What is the definition of ‘personal data’?
GDPR considers ‘personal data’ to be anything that can be used to identify an individual. This includes genetic, mental, cultural, economic and social information.
Surely this is just another way of presenting the Data Protection Act (DPA)?
There are key differences to GDPR, not addressed by the DPA, and a key one is to note that the DPA is a UK act only, whereas GDPR is an EU directive ensuring consistency across all EU countries.
Other differences are set out below:
- Non-compliance of DPA can result in fines up to £500k, or 1% of annual turnover however with GDPR these fines could be up to €20m or 4% of annual global turnover
- Companies of more than 250 employees will need to assign a Data Protection Officer to ensure compliance
- Under DPA businesses are not obliged to report data breaches. With GDPR any data breach must be reported to the Supervisory Authority within 72 hrs of the incident
- Under GDPR an individual will have the right to have their data permanently deleted from all databases, including web records etc, where there is no requirement under DPA
- Where DPA didn’t necessarily require an opt-in for data collection, with GDPR this will be required, along with clear privacy notices that are transparent. Consent must be able to be withdrawn at any time
Interested in knowing more? Look out for my blog on Wednesday setting out what actions you need to take now.
Or check out the following sites:
http://www.computerweekly.com/news/450296306/10-key-facts-businesses-need-to-note-about-the-GDPR
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
http://www.eugdpr.org/