Key GDPR facts that all businesses must understand
Published On :
Andy Ward, director atbluesource, explains the key GDPR facts that all business must be aware of
General Data Protection Regulation (GDPR) will apply unilaterally in all EU member states, with the official compliance date being 25th May 2018. GDPR will affect any business, UK or otherwise, that collects or retains personally identifiable data from any individual in Europe. Brexit cannot be used as an excuse either, as UK companies will still need to comply when dealing with countries in the EU.
Non-compliance could see organisations face fines of up to €20 million or 4 per cent of global annual turnover – whichever is higher. The increased financial impact of fines and the expected frequency of their enforcement, should be a major concern – as failing to understand the facts about GDPR will prove to be costly. Ourresearch across UK organisations indicates that there is still a gap between GDPR awareness and action. I have therefore highlighted below the areas that businesses should be aware of so they start to prepare for now – to achieve successful outcomes.
GDPR applies to all
If an organisation process the personal data of an EU citizen, be it consumer or business related, GDPR applies – wherever they operate. So, in effect, although this is an EU initiative, it has global implications – regardless of Brexit.
Liability for all organisations that touch personal data
Responsibility will no longer only rest with the data controller of the initiating organisation, but will also apply to any organisation that uses personal data provided to them. This rule will even cover aspects such as data minimisation and deletion.
Mandatory appointment of a Data Protection Officer (DPO) for certain organisations
A DPO must be appointed, where large scale data processing takes place, by both public bodies and certain other entities. The criteria isdetermined by the quantity of data being processed – not an organisation’s size. The DPOwill have to ensure that personal data processes, systems, and storage not only conform to the law, but can also be evidenced to do so.
Widening definitionof personal data
Once the 25 May 2018 deadline has passed, any data used to identify an individual will be considered to be ‘personal data’. This will include business contact information, as well as genetic, mental, cultural, economic and social information.
Tightening up on how ‘valid consent’ is obtained
This is likely to become a major headache for organisations, as they will need to be very clear about how an individual’s information is going to be used – before consent is given. They will also need to communicate how it will be processed. Consent will need to be clearly obtained, rather than via an assumption it’s been given – because someone has not ticked a box to remove themselves, as is currently often the case.
Introduction of Privacy Impact Assessments (PIAs)
For areas where there is a real threat of a privacy breach, data controllers will have to conduct a PIA to alleviate the knock on risk to individuals. Such projects involving personal data will require the PIA to be carried out in advance and the DPO will then need to ensure compliance continues throughout the project.
Harmonisation of data breach notification
GDPR demands that a local data protection authority must be notified of a data breach within 72 hours of its discovery – so the burden has shifted from just being about ‘discovery’. Organisations will also have to possess the processes – and technology – in place to detect breaches in the first place. This means greater investment in both systems changes and staff training.
Introducing the right to be forgotten
Organisations won’t be allowed to hold or retain data for any longer than is necessary. Also not permitted, is changing how data is used from what was originally agreed – at the time the data was collected. If data is used for a new project, fresh consent will have to be obtained. The ‘right to be forgotten’ also enables an individual to request that their data is deleted in full – and this must be completed.
GDPR compliance must be included by design – in all software, systems, and processes
This can be construed as meaning that all software,for example, must facilitate the complete deletion of personal data – and this must be a key part of the design.
There will only be a single supervisory authority
Under GDPR, each EU state will have its own authority, but all must provide exactlythe same advice and messages. This consistency will hopefully make it simpler for businesses to deal with queries regarding operations in different locations. However, any European data protection authority will be empowered to take action against an organisation – regardless of where the organisation is located.
Wanda Rich has been the Editor-in-Chief of Global Banking & Finance Review since 2011, playing a pivotal role in shaping the publication’s content and direction. Under her leadership, the magazine has expanded its global reach and established itself as a trusted source of information and analysis across various financial sectors. She is known for conducting exclusive interviews with industry leaders and oversees the Global Banking & Finance Awards, which recognize innovation and leadership in finance. In addition to Global Banking & Finance Review, Wanda also serves as editor for numerous other platforms, including Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune.
-
-
NEWS3 days ago
Ant International sees robust growth across pillar businesses of payments, digitalisation, and inclusive financial services in 2024
-
-
-
BUSINESS2 days ago
Germany’s CompuGroup in talks about potential offer by CVC
-
-
-
FINANCE2 days ago
Rachel Reeves to push for UK/EU reset at finance ministers’ meeting
-
-
-
INVESTING2 days ago
At Gulf bitcoin gathering, Trump family and allies to bask in crypto industry’s euphoria
-