Connect with us

BUSINESS

Key GDPR facts that all businesses must understand

Key GDPR facts that all businesses must understand

 Andy Ward, director atbluesource, explains the key GDPR facts that all business must be aware of

General Data Protection Regulation (GDPR) will apply unilaterally in all EU member states, with the official compliance date being 25th May 2018. GDPR will affect any business, UK or otherwise, that collects or retains personally identifiable data from any individual in Europe. Brexit cannot be used as an excuse either, as UK companies will still need to comply when dealing with countries in the EU.

Non-compliance could see organisations face fines of up to €20 million or 4 per cent of global annual turnover – whichever is higher. The increased financial impact of fines and the expected frequency of their enforcement, should be a major concern – as failing to understand the facts about GDPR will prove to be costly. Ourresearch across UK organisations indicates that there is still a gap between GDPR awareness and action. I have therefore highlighted below the areas that businesses should be aware of so they start to prepare for now – to achieve successful outcomes.

GDPR applies to all

If an organisation process the personal data of an EU citizen, be it consumer or business related, GDPR applies – wherever they operate. So, in effect, although this is an EU initiative, it has global implications – regardless of Brexit.

Liability for all organisations that touch personal data

Responsibility will no longer only rest with the data controller of the initiating organisation, but will also apply to any organisation that uses personal data provided to them. This rule will even cover aspects such as data minimisation and deletion.

Mandatory appointment of a Data Protection Officer (DPO) for certain organisations

A DPO must be appointed, where large scale data processing takes place, by both public bodies and certain other entities. The criteria isdetermined by the quantity of data being processed – not an organisation’s size. The DPOwill have to ensure that personal data processes, systems, and storage not only conform to the law, but can also be evidenced to do so.

Widening definitionof personal data

Once the 25 May 2018 deadline has passed, any data used to identify an individual will be considered to be ‘personal data’. This will include business contact information, as well as genetic, mental, cultural, economic and social information.

Tightening up on how ‘valid consent’ is obtained

This is likely to become a major headache for organisations, as they will need to be very clear about how an individual’s information is going to be used – before consent is given. They will also need to communicate how it will be processed. Consent will need to be clearly obtained, rather than via an assumption it’s been given – because someone has not ticked a box to remove themselves, as is currently often the case.

Introduction of Privacy Impact Assessments (PIAs)

For areas where there is a real threat of a privacy breach, data controllers will have to conduct a PIA to alleviate the knock on risk to individuals. Such projects involving personal data will require the PIA to be carried out in advance and the DPO will then need to ensure compliance continues throughout the project.

Harmonisation of data breach notification

GDPR demands that a local data protection authority must be notified of a data breach within 72 hours of its discovery – so the burden has shifted from just being about ‘discovery’. Organisations will also have to possess the processes – and technology – in place to detect breaches in the first place. This means greater investment in both systems changes and staff training.

Introducing the right to be forgotten

Organisations won’t be allowed to hold or retain data for any longer than is necessary. Also not permitted, is changing how data is used from what was originally agreed – at the time the data was collected. If data is used for a new project, fresh consent will have to be obtained. The ‘right to be forgotten’ also enables an individual to request that their data is deleted in full – and this must be completed.

GDPR compliance must be included by design – in all software, systems, and processes

This can be construed as meaning that all software,for example, must facilitate the complete deletion of personal data – and this must be a key part of the design.

There will only be a single supervisory authority

Under GDPR, each EU state will have its own authority, but all must provide exactlythe same advice and messages. This consistency will hopefully make it simpler for businesses to deal with queries regarding operations in different locations. However, any European data protection authority will be empowered to take action against an organisation – regardless of where the organisation is located.

http://www.bluesource.co.uk

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Recent Posts