The aim of GDPR…
To protect all EU citizens from privacy and data breaches. The digital world had changed beyond measure since the data protection regulations created in 1995. These main principles have not changed but what has changed are the regulatory policies and actions required.
I. Increased scope
The extension in the jurisdiction of GDPR means that this new set of rules applies to ALL companies processing personal data of people living in the EU irrespective of where the company is located. Previously, location was ambiguous. Under GDPR, non-EU companies will have to appoint an EU representative.
II. Increased penalties
Causing the most angst is the proposed penalties that businesses will incur should they fail to meet the regulations as stipulated in this new ruling.
- Serious infringements – an organisation in breach of GDPR could be fined up to 4% of their annual global turnover or €20 million, whichever is greater. An example of this would be not having sufficient customer consent to process data.
- Tiered approach – this is the maximum fine, but you also need to be aware it is a tiered approach. For ‘less’ serious data offences, you could be fined 2%, for example. This may be because you have failed to keep records in order (a breach of Article 28)
GDPR applies to both controllers and processes, therefore it covers ‘cloud’ services too.
The conditions for consent have been strengthened too. Information about consent must be given clearly and concisely, in plain language. It must also be easy to withdraw consent.
IV. Breach notification
Breach notification under GDPR, which comes into force at the end of May 2018, will be mandatory, no matter how small or large, and in cases where it is likely to “result in a risk for the rights and freedom of individuals”. This must be done within 72 hours. Data processors are must tell controllers “without undue delay”.
V. Right to access
GDPR increases the rights of customers to not only access their information but where it is being processed and for what purpose. Controllers must also provide a copy of the personal data free of charge in electronic format.
VI. Right to be forgotten
Also known as Data Erasure. The details are outlined in Article 17 that says data must be erased if it is no longer relevant or the data subject withdraws consent. However, there is the thorny issue of public interest to muddy the waters.
VII. Data portability
This is a new concept and refers to the rights of a data subject – e.g. a customer etc. – to receive their personal data in a ‘commonly used and machine-readable format’ and the right to transmit this to another controller.
VIII. Privacy by design
This is not a new concept but one that is now firmed up as part of GDPR. Data protection is no longer an ‘add-on’ to a system but an integral part. These ‘appropriate and technical measures’ are a must, the detail of which is covered in Article 23.
IX. Data Protection Officers
DPOs will level the playing field when it comes to reporting data processing activities. A DPO would keep internal records but the appointment of a DPO will only be mandatory for a company or organisation if they are consistently processing data that requires regular and systematic monitoring.
How can we help you?
If you’re in need of assistance with any aspect of ISO or GDPR compliance, here at Synergos we’d be delighted to help. Whether you have questions about the path to compliance or are looking for advice and support to maintain compliance, call 01484 817 444 or Email firstname.lastname@example.org and we’ll be happy to talk it over with you.