General Data Protection Regulation (GDPR)

Data protection is a serious issue faced by all businesses and organisations.

Frequently we hear about the loss or theft of data, and how this data can be used for illegal purposes.

The ‘Data Protection Directive’ was implemented in 1995 and was put in place for the protection of individuals with regard to the processing of personal data and the movement and use of such data. It is considered an important element of European Union privacy and human rights law.

However in the fast moving world of IT the act was considered to be lacking in certain areas, therefore in 2012 the EU looked at creating a replacement policy which was in the form of General Data Protection Regulation (GDPR). This new act will be adopted this year but official enforcement will not begin until Spring 2018. This is to allow companies to understand the legislation and put the required measures into effect.

A summary of the reasoning for the new GDPR act is as follows: “The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover.”

The GDPR is already creating a lot of concern for businesses, with half of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate. Also differing regulations in different regions are creating inconsistent, and often incompatible, instructions for how personal information is stored, processed and shared. It will become a real challenge for a company to be compliant in all regions.

Some of the key changes that the General Data Protection Regulation (GDPR) is delivering are:

• A single set of rules on data protection, valid across the whole of the EU
• Companies and organisations will only have to deal with a single national data protection authority in the EU country where they have their main head office
• Companies with over 250 employees will need to employ a Data Protection Officer (DPO) to act as the principal point for all data protection undertakings
• Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (ideally within 24 hours)
• People must have easier access to their own data and be able to transfer personal data from one service provider to another more easily (data portability), with the aim of improving competition among services
• A ‘right to be forgotten’ will help people better manage data protection risks online – people will be able to delete their data if there are no legitimate grounds for retaining it.

One of the key themes of the GDPR is accountability. In practice this will entail establishing a culture of monitoring, reviewing and assessing your data processing procedures and policies, aiming to minimise data processing and the retention of data. Auditable data impact assessments will also need to be conducted and steps taken to address any risks that are highlighted during the audit.

Nearly all businesses and organisations keep digital copies of customer data – so it’s clear that data protection and the issues associated with it are here to stay. Protection of this data is vital and the penalties for not doing so are only going to get harsher. Obviously the GDPR is very extensive, and it will undoubtedly require some time and effort to understand and implement.

Our recommendation is to do some research and get a good head start on putting the required changes into place.