Are you all set for GDPR?
Before checking if you’re ready for GDPR some of you might be wondering what it even is. And if it will affect you and your business. GDPR stands for General Data Protection Regulation and it was approved by the EU parliament in April 2016. This regulation will take effect after 2 years which means it comes into force from May the 25th 2018.
Currently in the UK most of this is covered by the 1998 Data Protection Act (DPA). But this is about to change from next year. There will be several changes taking place and there will be an introduction of larger fines for data breaches. As well as fines for non-compliance with the aim of aligning the UK with the rest of the EU.
Will it affect me?
The GDPR will apply to any organization no matter how small that deals secure collection, storage and the usage of personal information. It will apply to any business that is located within the EU that offers goods or services or monitors EU subjects. As well as any organisation outside of the EU that holds personal data of subjects who reside within the EU. Regardless of the companies location. Any information that can be used to directly or indirectly identify a person such as their name, picture, phone number, email address or bank details.
So what’s changing?
The main goal is to guard every EU residents privacy and protect against data breaches.
Penalties – Under the new rules organisations in breach of GDPR can be fined. There will be different tiers to fines and these can up to 4% of annual global turnover or €20 million (whichever is greater.) Which can be imposed for serious breaches or infringements.
Clear and concise consent from subjects – Consent for subjects must be clear and easily understandable. It also should be just as easy for people to withdraw consent as it is to give it. Companies will no longer be allowed to make use of long terms and conditions that are difficult to understand.
Changes to a persons rights
Right to be forgotten – This entitles every person to have the ability to erase their own personal data. Have the data controller cease any further dissemination of the data.
Data portability – this gives each subject a right to obtain the personal data of themselves that they have provided. It also gives the right to transmit this data to another controller and be provided to the subject in a machine-readable format.
Right to access – This will allow a person to have access to a copy of their personal data for free in an electronic format. It will also give subjects the right to obtain whether their personal data is being processed. Where it is being processed, and for what reasons.
Breach notification – This will become mandatory where a data breach is likely to result in a risk to the rights and freedoms of an individual. Once an organisation becomes aware of a breach they will be required to notify their customers within 72 hours of becoming aware of it.
For a full breakdown of the changes and more information regarding the GDPR you can visit http://www.eugdpr.org/