By Kali Bagary | 15 JULY 2017 |

The General Data Protection Regulation or GDPR for short.
Everyone is talking about it.
With impending deadlines, it is increasingly becoming more important and on the radar of most directors/managers and board members.
But what exactly is it?
Why is it important?
What are the key changes to the Data Protection Directive (DPD)?
What are the dealines?

What Is It?

The GDPR is a new data protection regulation, based on the originally created Data Protection Directive on 24th October 1995. Its aim is to protect EU citizens and their personal data privacy. It will punish those who are in breach of the regulation by issuing heavy fines.

It is widely believed to be the biggest shake up in personal data protection across the globe for 20 years.
The EU adopted the GDPR on the 16th April 2016. This EU regulation will come into force on May 25th 2018, which is why everyone is talking about

This gives power to the EU citizen. On request, entities must (amongst others) prove:

  • Where the data is stored (ie in the cloud, in databases, on spreadsheets and word documents etc.
  • Why the data has been collected (ie for keeping personal tax records at the government office)
  • How the data is being used (ie in mailshots to promote a new service to the individual)

  • Why is it Important?

    Technology has changed dramatically since 1995. From desktops, to laptops, to tablets, to smartphones; how we – the consumer – want information has drastically changed.
    From print to the internet, speedy & accurate search returns, available content and even data processing via the cloud.
    Companies across the globe are using rapidly changing innovative technology landscapes to gather consumer information, enabling them push out relevant content to consumers using wide ranging delivery methods.
    Direct mail has turned into email; short notes and messaging have turned into real time data streams, web search based targeted advertising and apps.

    Businesses gathering consumer and prospect data; be it from buying a list or generating one through internet research, automatically tracking online activity and storing personal information has rendered the individual powerless against a relentless amount of online targeting.

    This is the fundamental reason behind the GDPR. It seeks to shift the power back to the individual, by enforcing a legally binding regulatory act, which essentially protects the EU individual against online harassment through scrupulous targeting.

    Whats's Changed?

    The key changes to the original directive are as follows;

    1. This is now a REGULATION not a directive. This means is it a binding regulation act and more enforceable.
    2. Territorial reach. The GDPR is applicable to the EU and any company that processes data of an EU resident; regardless of the business location and where the data collection, monitoring and processing takes place.
    3. Penalties. Are severe. They can be up to 4% of the company’s global turnover or €20million. There is a tiered fine system too; ie. 2% of global turnover for a smaller breach, such as not having personal data records in order or not conducting a proper impact assessment. This applies to data controllers and data processors (which includes data held in the cloud) alike.
    4. Consent .The definition of ‘consent’ is tougher: the request for consent must be offered using clear and plain language in a simple form. Once given, consent must be as easy to withdraw, as it was to give. Remember consent means the individual must give you permission to contact them BEFORE you do so.
    Data Subject Rights. These have been strengthened too. They include:

    1. Breach Notification: once made aware, data processors must notify customers and controllers & regulators within 72 hours: Be transparent.
    2. Right to access: Any individual can ask the data controller to let them know if data is being held, where it is being held and for what reason. The data controller must provide an electronic copy free of charge: Enable free access.
    3. Right to be forgotten: Any individual can ask the data controller to erase all the information held on them. This includes deletion, distribution and potentially have 3rd parties remove their data too: Provide 'data erasure'.
    4. Data Portability: personal data received by an individual electronically can be passed to another data controller: Facilitate individual data transfer.
    5. Privacy by design: all data controllers must design all their systems to include and meet data protection regulations from the outset. This applies to both technology systems and business processes. Offer protective system & process

    Data Protection Officers Must be appointed by any business conducting large scale systematic monitoring or processing of sensitive personal data. There are specific criteria the Data Protection Offier (DPO) must meet. *sensitive personal data is any dataset that can be used to fully or partially identify a person (ie job title/company).

    Key Roles

    There are clearly defined roles too. These are:

    1. Data Controller. This is an entity which determines the purpose, conditions and means of the data.
    2. Data Processor. This is a person who processes personal data on behalf of the data controller.

    As this will come into effect in less than a year, understanding the GDPR & how it will impact your business is critical. It will cost a lot of time; in terms of changing operational processes and development of new compliance strategies going forward. It will cost a lot of money; in terms of prioritising and adapting IT infrastructure plans & systems. But it must be done. The alternative, facing fines, is simply too great a risk. Don’t get caught out: remember the deadline: 25 May 2018, after which I am sure we will all be reading about numerous fines which will be handed out.

    Want to know more? Click here: http://www.eugdpr.org/eugdpr.org.html

    We’d be delighted to offer you a free consultation on how you can transform your compliance management. Simply call us on 01494 546 089 or complete this short contact me now form and we will call you.

    Who are we?

    We are proud of our team of highly experienced & well connected professionals, who have been successfully delivering business solutions across diverse technologies and in multiple industry sectors.

    Our particular expertise is in the financial services and insurance sectors.

    Along with this, we are able to call on our extensive network of consultants, partners and associates to augment our delivery capacity. TechFINIUM currently has operations in the UK, South Africa and India.

    Harnessing Technology Boundaries