The European Union’s new General Data Protection Regulation (GDPR) is the biggest change in data protection laws in 20 years, effectively replacing the Data Protection Act of 1998. There is a lot of confusion around GDPR, and so the purpose of this article is to try to convey its principles as simply as possible, concluding with a call to action.
In modern society, through the use of websites, applications, social media, plus many more, we all have a, what I like to call, ‘digital DNA’. This DNA is a make up of all our personal and big data that allows organisations to identify with us or create a digital profile of us. GDPR has been designed to strengthen individual privacy and give the power back to citizens over how their data is used and processed.
- It comes into effect on May 25th 2018
- It is relevant if you hold any personal data of persons in Europe, (so no, Brexit won’t affect your need for compliance)
- Applies to controllers and processors
- Controllers – how and why personal data is processed
- Processors – act on behalf of the controller
- What is personal data? – Anything that can be personally identifiable to an individual – e.g. one or more factors specific to the online, physical, physiological, genetic, mental, economic, cultural or social identity of that person
- One of the most significant changes is the accountability principle – GDPR requires you to show HOW you comply with the principles – for example by documenting the decisions you take about a processing activity and by appointing a Data Protection Officer (DPO)
Some of the key areas to consider are:
- Lawful processing – you must identify a legal basis before processing personal data;
- Consent – you must obtain free, unambiguous indication of the individual’s consent without pre-ticked boxes, abide by the right to be forgotten, gain consent for data use from third parties and also for all children’s data
- Individuals’ rights – individuals have the following rights: to be informed, to access, rectify and erase, to restrict and object
- Data transfer restrictions outside EU without necessary provisions in place e.g. evidence of compliance, contracts, clauses, guarantees
The Challenge For You
- Ensuring the sufficient policies and processes are in place
- Training and awareness of your staff in GDPR requirements and compliance
- Creating a roadmap for change
- Have to be ready by May 25th 2018
- Non-compliance Penalty
- Up to 20m euros or 4% of global turnover
Accordant’s solution will give you clarity and peace of mind. We will undertake a rapid yet comprehensive assessment of your organisation in regards to GDPR and then provide a detailed report highlighting in any elements, which will need to change to comply. We keep it to plain English and avoid any ambiguous terms or jargon and will create a roadmap of actionable next steps so you have clarity in knowing exactly what to do.
Contact Accordant on firstname.lastname@example.org to set up a no-obligation initial consultation, or for more information.