What is GDPR?

The General Data Protection Regulation (GDPR) is a new regulation that will replace the current Data Protection Directive of 1995. It is intended to enhance and unify data protection for all individuals living in an EU member state.

What happens if an organisation fails to comply?

The financial penalty put in place is steep – a fine of 20 Million EUROS or 4% the organisation’s global turnover (whichever amounts to more).

Who does the regulation apply to?

• Any organisation that collects and controls personal data from EU citizens.
• Any organisation that processes data on behalf of another organisation (for example, a cloud service provider).

If your organisation is outside of the EU but collects and processes data of EU citizens, the regulation also applies. Although the UK are set to leave the EU, the UK Government have stated that the GDPR regulation will still apply to all UK based organisations.

Why is GDPR being put in place?

Currently each of the 28 EU member countries operate under their own interpretation of the Data Protection Directive (1995), the new regulation aims to:

• Give control back to citizens and residents regarding how their personal data is acquired, stored, secured and processed. It also gives citizens the right to access, challenge and amend their data.
• Replace the outdated Data Protection Directive by factoring in new technologies and emerging platforms, such as social media and cloud computing.
• Create a single unified regulation across the EU to replace the various interpretations of the previous directive.

What can organisations do to prepare?

There are several areas to consider when preparing for the new GDPR regulation:

• Create a role for a Data Protection Officer – applies mainly to organisations with over 250 employees that have direct involvement with the collection and processing of data.
• Implement GDPR at board level, with direct responsibilities lying with the CIO, CISO and Data Protection Officer.
• Adopt risk management tools and implement security and privacy protocols into the Operations of the organisation (for example, develop a data privacy framework).
• Be concise and clear about data that is collected, what it is, where and how it is stored, how it is accessed and where it goes.
• Be confident that data held can be securely deleted when requested.
• Carry out regular and compulsory impact assessments.
• Ensure your IT infrastructure is setup to minimise the risk of a data leak or security breach. As part of the GDPR regulation it is required to report a data breach to a supervisory authority within 72 hours.

What is meant by ‘personal data’?

The European Commission defines ‘personal data’ as any information relating to an individual, personal or professional. This includes: name, address, email address, financial details, posts on social networks, photographs, medical records and even an IP address.