GDPR? – the General Data Protection Regulations – the new law that will come into effect from 25 May 2018
Who does GDPR apply to?
Anyone controlling or processing any personal information, including employee or customer data. The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.
The GDPR places specific legal obligations on processors. For example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations are a new requirement under the GDPR.
Under the new regulations, penalties can be as much as €20 million or 4% of annual global turnover (whichever is higher), per incident.
What is ‘personal data’?
The definition is now more detailed and makes it clear that information includes online identifiers, such as an IP address or email address (commercial or noncommercial), health information, or genetic and biometric data.
The accountability principle
Perhaps the most significant addition. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
Simply having a ‘Data Protection’ policy statement is no longer enough.
Who is responsible for GDPR?
It is vital that all staff within an organisation are made aware of GDPR and their responsibilities for data protection. Even with the most stringent automated controls in place, human error will always be your weakest link, and greatest risk, in terms of data protection.
You must ensure you are planning your GDPR awareness campaign now to ensure that your staff understand:
- the requirements of GDPR.
- your expectations as an employer.
- what controls and processes are in place that must be adhered to.
- how to recognise and report a data breach.
- who to speak to regarding data protection.
Although the principles of data protection won’t radically change with the introduction of GDPR, there are some subtle changes that need to be considered by all organisations dealing with personal data.
For a no obligation discussion, please contact us today.
Regardless of where you are in your GDPR journey, our consultants are happy to help you move to the next level.