GDPR is coming May 25th, 2018 – what does your Organization need to know?
Let’s start at the basics, what is GDPR?
GDPR stands for General Data Protection Regulation, an EU regulation that was approved by the European Parliament in April 2016 to supersede the outdated Data Protection Directive 95/46/EC. GDPR was designed to harmonize data privacy laws throughout Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. It will introduce tougher fines for non-compliance and breaches and will give people more say about what organizations can do with their data.
Who does GDPR effect?
GDPR applies to any ‘controllers’ and ‘processors’ of data. A data controller states how and why personal data is processed, while a processor is the actual party doing the processing of data. It not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of people (data subjects) residing in the European Union, regardless of the company’s location.
What are the key principles of GDPR?
Under the principles of GDPR, organizations must:
- Collect no more data than is necessary from a data subject for the purpose for which it will be used
- Obtain personal data fairly from the data subject by giving them notice of the collection and its specific purpose
- Retain the data for no longer than is necessary for that specified purpose
- To keep the data safe and secure
- To provide a data subject with a copy of their personal data should the subject request it
How does this effect Data Subjects (Individuals)?
Under the new regulation, data subjects will have the following rights to:
- Obtain details about how their information is processed by an organization
- Obtain copies of personal data that an organization holds on them
- Have incorrect or incomplete data corrected
- Have their data erased by an organization, where for example, the organization has no legitimate reason for retaining the data
- Obtain data from one organization and have that data transmitted to another organization (data portability)
- Object to the processing of their data by an organization under certain circumstances
- Not to be subject to automated decision making, including profiling
When will GDPR apply?
It will apply to all EU member states from 25th May, 2018.
What constitutes Personal Data?
Any information related to a data subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
GDPR is a Regulation replacing a Directive, what’s the difference?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve.
What does your Organization need to do to prepare of May 25th, 2018?
If you are an organization or business, located or operating in the EU, the Irish Data Protection Commissioner has produced a very handy 12 Step Guide on Preparing for GDPR
Fines and Penalties?
For organizations who breach the new regulations fines of up to €20m or 4% of global turnover may apply. Data subjects or individuals may also seek compensation through the courts for breaches of their data privacy rights.
What about Brexit?
As it is possible that the UK will still officially be a member of the EU on May 25th, 2018, UK organizations will have to abide by GDPR. However, what happens once the UK officially leaves the EU remains to be seen. The UK Government has indicated it will implement an equivalent or alternative legal mechanism. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.
Roger Leyden is CEO of RML Marketing & Business Development Solutions. If you would like to know more about how RML can help your organization’s needs within the EU contact us today for further details