General Data Protection Regulations (GDPR)
- 20% of UK IT decision makers are unaware of GDPR
- 26% of companies don’t know how long they have to become compliant
- Breaches can take 200-300+ days to discover
Since 1995 we’ve been used to Data Protection Directive (DPD) that has been the regulation throughout Europe. It was intended to strengthen and unify data protection for individuals within the European Union. It addressed the movement of information and data in and out of the EU.
The new regulations GDPR will take over from DPD. On April 2016 it was adopted and will take full effect on the 25th May 2018.
This is the biggest change and most important change to data-privacy in 20 years. Preparation is key.
Any non-compliance will face a heavy fine.
Key Changes from DPD to GDPR are:
- Increase Territorial Scope (extra-territorial applicability)
- Data Subject Rights
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
Still not sure if you understand how the changes will affect you? Here’s 6 steps for you to consider.
Step 1 – What is personal data and do I have it?
The first step in deciding which parts of the new legislation will apply to your organisation is understanding personal data. The definition of ‘personal data’ in the context of the new regulation is data relating to a ‘data subject’ (a person) who can be directly or indirectly identified. Such data also includes device identifiers, cookies or IP addresses. This means that, under the GDPR, data controllers organisations should be aware of all personal data under their control. Organisations should be able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks.
Step 2 – Does GDPR apply to me?
Next, it is important to have an understanding of the key terminology included in the GDPR in order to know whether it is relevant to your organisation. As well as ‘personal data’, key terms to understand include ‘territorial scope’, ‘data subject access requests’, ‘data protection impact assessment (DPIA)’, ‘the right to erasure’, ‘data portability’ and ‘consent’. For further information on these, go to our knowledge centre, or find the glossary of terms on eugdpr.org.
Step 3 – Where does data live within my organisation?
In order to meet your statutory obligations, you first need to know where personal data lives. A detailed analysis of the data stored on corporate systems, employees’ personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners (people who process personal data on your behalf) will be required to give you the full picture.
Step 4 – Develop a data map and classify every piece of information
Following this analysis, we recommend creating a data map which provides a 360-degree view of all physical and digital information. This will need to including personal data, stored across an organisation. The data map is an important tool to ensure that you can quickly locate and monitor all information on an ongoing basis.
Step 5 – Review and update existing policies
Once you know where your information is, you need to know what you can do with it, and how long you are permitted to keep it. This requires making sure that your retention policies are up to date, reflecting legal, regulatory or contractual obligations so that you are only keeping what you should. Anything that is not required to be kept, should be fully destroyed.
Step 6 – Maintain awareness and responsiveness
Finally, it is important to make sure that the business as a whole is aware of its obligations. Information passes through the hands of employees, contractors and suppliers, so all parties must understand and comply with the same retention policies. Just as regulations change and impose new obligations on organisations over time, your retention policies should remain dynamic and responsive, adaptable to evolving business and regulatory landscapes.
Organisations across Europe have long been familiar with the need to ensure that they store personal data according to the latest regulatory requirements. The introduction of the GDPR means any non-compliance could result in fines of up to 4 per cent of annual world group turnover or EUR 20 million. Getting data retention right is now more critical.
Following these six steps is the starting point for avoiding the wrath of the regulators. Failure to act now will leave you rushing to catch up at a time when a mistake or oversight may be punishable by law and could cost your organisation dearly.
If you are still unsure how this will effect you and would like some advise, please contact us as we would be happy to help you.