It is difficult to think of an organisation which doesn’t collect and/or process personal data of some kind or other e.g. customer lead data collected via a website, transactional data recorded at purchase point or employee data during recruitment. Even though most organisations rely on and value this kind of data, we are increasingly surprised more are not paying attention to the incoming General Data Protection Regulation (or GDPR for short). A recent study conducted by Amarach, on behalf of the Irish Data Protection Commissioner’s Office, found less than half of SME’s interviewed were aware that changes to data laws are imminent and less than one third are aware GDPR will be in effect in 2018. If you run a business and GDPR isn’t on your radar, it needs to be. Here are the top six facts all organisations need to know;
1. What is GDPR?
GDPR is EU legislation issued by the European Commission, the European Parliament and the Council of Ministers of the European Union. It is the single biggest change in data privacy in 20 years and represents an enormous step up from the existing Data Protection Directive 95/46/EC. The objective of this new regulation is to improve data protection for European data subjects.
2. When does my organisation need to comply by?
GDPR comes into effect on the 25th of May 2018, however becoming GDPR compliant is not a task to be taken lightly. It is essential organisations commence preparations now if they have not already started.
3. Who needs to comply?
Any organisation collecting or processing the data of EU data subjects i.e. European citizens need to comply with the GDPR regardless of where the business is based. For example, a Dubai based on line training organisation is liable under GDPR if it collects or processes the data of EU data subjects.
4. Is my organisation a data processor, data controller or both and what’s the difference?
The legislation clearly differentiates between processors and controllers, although it is possible your organisation could be both. The Irish Data Protection Commissioner’s website offers the below example of such a situation;
“a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.”
In simple terms, a data controller decides how and for what reason personal data is processed, while a processor conducts the actual processing of the data. Under GDPR, the data controller is responsible for ensuring their data processor adheres to data protection regulations.
5. What are the risks of non-compliance with the GDPR?
Organisations found not to comply with the GDPR, either as the result of a failed audit or a data breach will face fines of up to €20 million or 4% of global annual turnover, whichever is greater. The reputational repercussions of a significant data breach or failed audit however could potentially be more commercially damaging than the fines themselves.
6. Where can I go for help?
Becoming GDPR compliant (especially if you don’t currently have a plan in place) is a daunting task. Each EU country has a Data Protection Commissioner who is responsible for enforcing data protection laws. The Irish Data Protection Commissioner’s Office has extensive information resources available on line. The Information Commissioners Office in the UK also offers many high-quality resources and tools for organisations.
There are also a significant number of law firms and data protection consultants available to assist organisation on the journey to compliance. The Data Protection Association alongside many private educational bodies are also offering GDPR training programmes in advance of the deadline.
As always, it is best to seek a personal recommendation before engaging a firm or training body you have not worked with previously. Being an obligatory requirement for most organisations, GDPR has led to some below par, opportunistic suppliers jumping on the bandwagon.
The overwhelming advice on GDPR from all quarters, is to get started now. It is quite likely that the regulator will look to enforce some high-profile judgements in the initial period after GDPR comes into effect in order to highlight the severe penalties for noncompliance. The only way to avoid being made an example of is to demonstrate your organisation has taken all realistic steps to comply with the legislation.