GDPR. A Simplified Guide.

by | Sep 1, 2017

GDPR. A Simplified Guide.

What’s the saying, ‘if you want something doing, do it yourself’?
I’ve been searching for a basic overview of GDPR for a while but have yet to come across one. There is plenty of detailed information and fantastic articles from professionals and industry experts but nothing that gives a simple view of what GDPR is and what it means. So, I have taken it upon myself to have a go…

 

What is it?

General Data Protection Regulation or GDPR = replacement for the Data Protection Act

When is this happening?

Goes live in May 2018

Who does is apply to?

Any businesses within the European Union AND outside the EU if they offer products, services to and hold personal data on EU nationals

What about Brexit?

This is tricky. If your business deals with countries within the EU and keeps data about EU residents then YES you must prepare and comply to the GDPR.

If, however, your business trades in the UK only then it’s not too clear what will happen. The government have advised it will implement a similar regulation but either way it is better to be safe than sorry…

Can I be fined for non-compliance?

Yes. Very hefty fines of up to 4% of annual global turnover or a maximum of €20m

What is personal data?

Any information held about an individual that identifies them

What is a data controller?

Someone who keeps and processes data and information about an individual

Why do we need it?

We’re living in a digital data-driven world and need protection from data breaches, especially as lots of companies hold all kinds of personal data

So, what’s changed since the previous regulation?

Well, that was 1998. A lot has changed since then but here are the key points:

  • The World is getting smaller and companies all over the globe may hold some sort of data on EU nationals. Official line: ‘It applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not’
  • Penalties are steeper with maximum fines of up to 4% of annual global turnover or €20 Million – whichever is greater!
  • Consent has been made stronger. Opt-ins need to be clearer and opt-out need to be easier.

Data Subject RightsGDPR people shopping in Leeds

  • You have 72 hours. You must notify individuals and controllers as soon as you are aware of a data breach that poses a risk to the freedom and rights of an individual. This is mandatory.
  • Individuals can contact a data controller for confirmation on if their personal data is being held and how it is being used. This needs to be provided to the individual electronically and FREE of charge!
  • Please delete me! Also known as the right to be forgotten. Individuals can request to have a data controller erase their personal data, stop sharing their data and potentially have third parties stop processing data.
  • Individuals can move their data. Known as portable data, it gives an individual the right to receive their personal data which they have previously provided and move it to another controller.
  • You’re ready for the GDPR but you realise that the form on your website doesn’t have the right legal notice or opt-in section. Make sure controllers set up appropriate technical and organizational measures straight away, not as an afterthought… It could damage all that arduous work you put in!
  • You don’t need my life story. Controllers must only hold and process data necessary for the completion of its duties. Individuals are not going to want to give you their home address and shoe size just to download your latest blog!

Who is responsible then?

A Data Protection Officer or DPO will need to be appointed for controllers and processors whose activities mostly revolve around data processing and monitoring, with internal record keeping becoming mandatory.
Your DPO can be an internal or external employee but importantly they must be:

  • An expert on data protection law and practices
  • Given appropriate resources and training to do their job properly
  • Reporting directly to top level management

More information:

Tons of useful information is out there if you need more detail and the ICO have created a handy brochure on preparing for the GDPR and 12 steps to take now:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Information Commissioner’s Office:
https://ico.org.uk/for-organisations/data-protection-reform/
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/

EU GDPR Portal with key changes and FAQ’s:

http://www.eugdpr.org/
http://www.eugdpr.org/the-regulation.html

logos

© 2024 Cybertill Ltd and Cybertill Inc. All Rights Reserved. UK Company Registration Number: 4007218

Cookies | Privacy Policy | Terms & Conditions