What is GDPR?
The General Data Protection Regulation, or GDPR, will renovate how businesses process and handle data. Coming into effect on May 25, 2018, GDPR will particularly target how businesses and the public sector handle the information of 750 million European citizens. This means any company that holds any data on EU citizens, from personal information such as credit cards numbers to even a simple a photo of the citizen, is subject to GDPR.
Even though this law exists in the EU, its reach will be global. Businesses not situated in the EU could still face penalties and fines if they do not obey the legislation. If you are subject to DPA (Data Protection Act), it is likely that you are subject to GDPR. The EU is serious about protecting the data of its citizens. Just for having a security breach your business could be fined, and the penalties are substantial. Fines can be upwards of €10 million or two percent of a firm’s revenue. For violations that are more serious penalties can reach €20 million or four percent of a firm’s revenue. However it is important to note that Elizabeth Denham, the Information Commissioner, stated she “prefer[s] the carrot to the stick [and] while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective.”
In the following segments, we will point out some of the essential steps to comply with GDPR as well as how you can use these rules as an opportunity to improve and grow your company using it to increase your profits instead of becoming an extra expense for your company.
1. Determine your role
GDPR regulations affect all businesses that process the personal data of EU citizens, regardless of the location of that business. If you offer any goods or services to European citizens, the GDPR applies to you.
The first step you should take is to appoint a representative to act as a point of contact (POC) for the Data Protection Authority (DPA) and data subjects.
2. Appoint a data protection officer
If your organization is public, processes a high volume of data transactions, and/or deals with sensitive data that requires monitoring, appoint a data protection officer (DPO). This person’s responsibilities can include GDPR compliance monitoring, informing employees about each of their obligations, advising on impact assessment and performance, and acting as the point of contact on issues related to processing.
3. Demonstrate accountability in all processing
The GDPR puts a heavy prominence on accountability. It’s not enough to adhere to the regulations, organisations must demonstrate an accountable approach and transparency in all decisions regarding data processing. There are two important qualifiers here.
Firstly, this applies just as strictly to a business’ third party suppliers. Secondly, implied consent is no longer sufficient, data consent must be explicitly gathered and recorded.
4. Check cross-border data flows
Under the GDPR personal data transfers are only allowed within the 28 EU member states and in select countries considered to have an adequate level of cyber security. Business leaders should make sure that data protected under the GDPR is not leaving its jurisdiction.
5. Know your data subject rights
Under the GDPR, data subjects have extended rights, including the right to be forgotten, the right to data portability, and the right to be informed (in the event of a data breach). If your business isn’t prepared for breaches and for people exercising these rights, it’s time to start implementing additional controls.
That’s all for now.
If you have any questions or feedback about this, please let me know in the comments, I’ll be happy to help and give you some tips.