GDPR (General Data Protection Regulation)

WHO DOES THE GDPR APPLY TO?

The GDPR applies to any organisation that handles the personal data of EU citizens. This means that, unlike the law it replaces, the GDPR applies to businesses that provide outsourced services, e.g. cloud providers and external payroll. It also means that it applies to businesses based outside the EU that offer goods or services to people in the EU, e.g. via their website.
 
In other words, many more businesses that are not subject to current EU data protection law will be from 25 May 2018 – including those based in the USA, China (and, post-Brexit, the UK).
 

WHAT DATA DOES THE GDPR APPLY TO?

The GDPR applies to ‘personal data’. Basically, this means any data that can be used to identify someone.
 
In most cases, it will be easy to identify personal data e.g., someone’s name, but the GDPR’s legal definition is wider than current law and makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. This means that there are a wide range of personal identifiers that constitute personal data – reflecting changes in technology and the way businesses collect information about people.
 
In addition, the GDPR introduces some new ‘special categories’ of personal data, including genetic and biometric data where these are used to uniquely identify someone.

YOU ARE GOING TO BE HELD ACCOUNTABLE
Arguably the biggest change, the GDPR requires all businesses to demonstrate that they comply with the law.

YOU MUST HAVE A LEGAL RIGHT TO HANDLE DATA
Before they can use personal data, businesses will need to identify a legal basis for doing so. This will be especially important if a business relies on someone’s consent to process their data.

THERE’S A NEW RIGHT TO DATA PORTABILITY
This allows people to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

THERE’S A NEW RIGHT TO ERASURE
This (better known as ‘the right to be forgotten’) enables people to request the deletion or removal of personal data where there is no compelling reason for you to keep it.

IMPLEMENTATION COULD HAVE SIGNIFICANT RESOURCE IMPLICATIONS
You are likely to find compliance difficult if you leave your preparations until the last minute, especially if you have a large or complex business.

FINES HAVE BEEN GREATLY INCREASED
The GDPR increases the maximum fine for breaching data protection law from £500,000 to €20 million or 4% of turnover, whichever is greater.

DATA PROTECTION OFFICERS WILL BE MANDATORY FOR SOME
The GDPR requires a business to appointment a Data Protection Officer (DPO) if its ‘core activities’ consist of ‘regular and systematic monitoring’ of people on a large scale, or the handling on a large scale of special categories of personal data.

DATA BREACHES MUST BE REPORTED IN MANY CASES
The GDPR will introduce a duty to report certain types of data breach to the Data Protection Commissioner (DPC) Ireland, and in some cases to the people affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

YOU WILL HAVE TO DOCUMENT WHAT PERSONAL DATA YOU HOLD
You may need to organise an information audit, across the organisation, or within particular business areas to establish where it came from and who you share it with.

“THIS ONE’S A GAME CHANGER FOR EVERYONE”*
And having the right mindset towards data protection will help to future proof your business.

 

Newsletter

Subscribe to our
mailing list