Connect with us

BUSINESS

Key GDPR facts that all businesses must understand

Key GDPR facts that all businesses must understand

 Andy Ward, director atbluesource, explains the key GDPR facts that all business must be aware of

General Data Protection Regulation (GDPR) will apply unilaterally in all EU member states, with the official compliance date being 25th May 2018. GDPR will affect any business, UK or otherwise, that collects or retains personally identifiable data from any individual in Europe. Brexit cannot be used as an excuse either, as UK companies will still need to comply when dealing with countries in the EU.

Non-compliance could see organisations face fines of up to €20 million or 4 per cent of global annual turnover – whichever is higher. The increased financial impact of fines and the expected frequency of their enforcement, should be a major concern – as failing to understand the facts about GDPR will prove to be costly. Ourresearch across UK organisations indicates that there is still a gap between GDPR awareness and action. I have therefore highlighted below the areas that businesses should be aware of so they start to prepare for now – to achieve successful outcomes.

GDPR applies to all

If an organisation process the personal data of an EU citizen, be it consumer or business related, GDPR applies – wherever they operate. So, in effect, although this is an EU initiative, it has global implications – regardless of Brexit.

Liability for all organisations that touch personal data

Responsibility will no longer only rest with the data controller of the initiating organisation, but will also apply to any organisation that uses personal data provided to them. This rule will even cover aspects such as data minimisation and deletion.

Mandatory appointment of a Data Protection Officer (DPO) for certain organisations

A DPO must be appointed, where large scale data processing takes place, by both public bodies and certain other entities. The criteria isdetermined by the quantity of data being processed – not an organisation’s size. The DPOwill have to ensure that personal data processes, systems, and storage not only conform to the law, but can also be evidenced to do so.

Widening definitionof personal data

Once the 25 May 2018 deadline has passed, any data used to identify an individual will be considered to be ‘personal data’. This will include business contact information, as well as genetic, mental, cultural, economic and social information.

Tightening up on how ‘valid consent’ is obtained

This is likely to become a major headache for organisations, as they will need to be very clear about how an individual’s information is going to be used – before consent is given. They will also need to communicate how it will be processed. Consent will need to be clearly obtained, rather than via an assumption it’s been given – because someone has not ticked a box to remove themselves, as is currently often the case.

Introduction of Privacy Impact Assessments (PIAs)

For areas where there is a real threat of a privacy breach, data controllers will have to conduct a PIA to alleviate the knock on risk to individuals. Such projects involving personal data will require the PIA to be carried out in advance and the DPO will then need to ensure compliance continues throughout the project.

Harmonisation of data breach notification

GDPR demands that a local data protection authority must be notified of a data breach within 72 hours of its discovery – so the burden has shifted from just being about ‘discovery’. Organisations will also have to possess the processes – and technology – in place to detect breaches in the first place. This means greater investment in both systems changes and staff training.

Introducing the right to be forgotten

Organisations won’t be allowed to hold or retain data for any longer than is necessary. Also not permitted, is changing how data is used from what was originally agreed – at the time the data was collected. If data is used for a new project, fresh consent will have to be obtained. The ‘right to be forgotten’ also enables an individual to request that their data is deleted in full – and this must be completed.

GDPR compliance must be included by design – in all software, systems, and processes

This can be construed as meaning that all software,for example, must facilitate the complete deletion of personal data – and this must be a key part of the design.

There will only be a single supervisory authority

Under GDPR, each EU state will have its own authority, but all must provide exactlythe same advice and messages. This consistency will hopefully make it simpler for businesses to deal with queries regarding operations in different locations. However, any European data protection authority will be empowered to take action against an organisation – regardless of where the organisation is located.

http://www.bluesource.co.uk

Continue Reading

Recent Posts

The lockdown money revolution 29 The lockdown money revolution 30
FINANCE5 days ago

The lockdown money revolution

By Granville Turner, Director at Turner Little. Many Brits have found that lockdown has been beneficial for their money, having...

Self-employed taxpayers and Making Tax Digital 31 Self-employed taxpayers and Making Tax Digital 32
BUSINESS5 days ago

Self-employed taxpayers and Making Tax Digital

By John Hemming, CEO of Cirrostratus Exedra, the company that runs the VAT Direct Making Tax Digital Service The HMRC’s ambition...

Auditor regulation and litigation - down to the Wire(card)? 33 Auditor regulation and litigation - down to the Wire(card)? 34
BANKING6 days ago

Auditor regulation and litigation – down to the Wire(card)?

By Tom Snelling, partner at Signature Litigation and David Entwistle, a regulatory lawyer and legal risk specialist Introduction The collapse...

Why it’s time to adapt to the virtual world: how to master online negotiations 35 Why it’s time to adapt to the virtual world: how to master online negotiations 36
TECHNOLOGY6 days ago

Why it’s time to adapt to the virtual world: how to master online negotiations

By Tony Hughes, CEO at Huthwaite International, a leading global provider of sales, negotiation and communication skills development Virtual negotiations...

Protecting against man in the middle attacks with dynamic linking 37 Protecting against man in the middle attacks with dynamic linking 38
FINANCE2 weeks ago

Protecting against man in the middle attacks with dynamic linking

By David Vergara, Senior Director of Product Marketing at OneSpan In recent years, the booming growth of mobile applications has...

The Case for Banks to Digitally Transform: Iterating out of lockdown 39 The Case for Banks to Digitally Transform: Iterating out of lockdown 40
BANKING2 weeks ago

The Case for Banks to Digitally Transform: Iterating out of lockdown

By Sudeepto Mukherjee, Senior VP, Banking EMEA & APAC, Publicis Sapient. Before COVID-19 disrupted every imaginable part of society, banks...

Difficulties of Getting on the Property Ladder Post-Pandemic 41 Difficulties of Getting on the Property Ladder Post-Pandemic 42
LIFESTYLE2 weeks ago

Difficulties of Getting on the Property Ladder Post-Pandemic

There is a lot of talk about what’s going to happen to the housing market over the next few months....

Russian Doll: Building digital capabilities into a bank’s core 43 Russian Doll: Building digital capabilities into a bank’s core 44
BANKING2 weeks ago

Russian Doll: Building digital capabilities into a bank’s core

By Ian Johnson, Managing Director of Europe, Marqeta COVID-19 has left its mark on every industry, and banking is no...

How the US and Europe's COVID-19 Responses Have Affected Exchange Rates 45 How the US and Europe's COVID-19 Responses Have Affected Exchange Rates 46
TRADING2 weeks ago

How the US and Europe’s COVID-19 Responses Have Affected Exchange Rates

In living memory, few events have thrown the reputations of different countries and regions under such intense scrutiny as the...

Recognising the surprise PE investment potential in southern Africa 47 Recognising the surprise PE investment potential in southern Africa 48
INVESTING2 weeks ago

Recognising the surprise PE investment potential in southern Africa

By Martin Soderberg, partner at SPEAR Capital. An event of historic significance passed largely unnoticed in the world’s media recently,...

Why Banking is experiencing a second wave of transformation 49 Why Banking is experiencing a second wave of transformation 50
BANKING2 weeks ago

Why Banking is experiencing a second wave of transformation

By Keith Pearson, Head of Financial Services EMEA, ServiceNow The financial landscape has seen significant changes in the last six...

Making your mark: an introduction to trademarks 51 Making your mark: an introduction to trademarks 52
TRADING2 weeks ago

Making your mark: an introduction to trademarks

By James Turner, Director at  Turner Little  Are you looking to protect your brand? The chances are, you are –...