Did you know?
Potential fines of up to £17million or 4% of annual turnover
Comes into force 25/05/18
All businesses will be affected
What is the GDPR?
After four years of preparation and debate, the new General Data Protection Regulation (GDPR), was finally approved by the EU Parliament on the 14th of April 2016. The GDPR replaces the Data Protection Directive 94/46/EC and has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizen’s data privacy and to reshape the way organisations across the region approach data privacy.
The GDPR threatens significant fines and penalties for non-compliant data controllers and processors. It will mean an increase in the maximum fine the Information Commissioner’s Office (ICO) can impose upon companies who have not adequately protected themselves against data theft from £500,000 to £17 million (or four percent of turnover). Needless to say changes to the governance of data will have far-reaching consequences for your business.
The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used. Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.
So who does the GDPR apply to?
The answer; ‘Controllers’ and ‘processors’ of data. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU citizens. It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
Why is the GDPR needed?
The European Union’s General Data Protection Regulation (GDPR) represents the biggest change to global privacy laws for over 20 years. The GDPR represents the culmination of over five years of effort to modernise data protection. The EU Directive on Data Protection (95/46/EC), adopted back in 1995, could not have anticipated the increasing importance and reach of the Internet, or the exponential growth in methods for the mass-processing of data. In response to these needs, the GDPR has superseded the previous EU Directive to create a unifying data protection law for all EU Member States.
The GDPR applies to personal data relating to EU residents regardless of where it is processed. It redefines the scope of EU data protection legislation, forcing organisations worldwide to comply with its requirements. While the GDPR is based on the same data protection principles as its predecessor, it introduces new rights for data subjects. Robust data protection is not simply a burden on an organisation; good data protection practices should protect both brand and reputation, and improve data quality.