GDPR: what do you need to know?

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new legal framework to be applied within the EU. It is principally designed to cover all those businesses which have day-to-day responsibility for personal data. It aims to achieve uniformity in data protection legislation across the EU thereby streamlining data exchange and security between member states.

It gives consumers more say in how companies use their data, making data protection rules near enough the same throughout the EU.

The data protection rules will apply to all businesses based in the EU and/or doing business in the EU. They will have to comply with the new regulations if they collect any personal data from EU citizens. The new regulations will be much tougher, introducing fines for companies not complying. It has been created to help improve trust in the emerging digital economy.

Why you should care

The GDPR will define how organisations can collect, use and transfer personal data. Not only will businesses need to adhere to local laws governing information retention in every market they operate in, but they also need to re-evaluate their individual business requirements and risk appetite. Failure to comply with the GDPR risks a maximum penalty of either €20 million or 4 percent of worldwide turnover (whichever is greater) – it can cost your business money, reputation, credibility and more. Equally, the first organisations to become compliant can use it as an accolade, highlighting that personal data is safe in their hands.

In addition, service providers or ‘data processors’, which  were not previously subject to the more restrictive aspects of data protection legislation, will also now be affected. Organisations that use third parties will have to ensure that their data provider complies with the regulations as, in case of a breach, both data processor and data controller will be considered to have shared liability and will be penalised. Furthermore, all public authorities and organisations where core activities involve ‘regular and systematic monitoring of data subjects on a large scale’ or large-scale processing of ‘special categories of personal data’ will be required to employ a dedicated Data Protection Officer.

Always be prepared

Ahead of the GDPR, it is very likely that most businesses will need to overhaul their framework to ensure compliance and that they are aware of what data they hold, why they hold it, where it’s kept and how long it should be kept for. They will also need to re-think what data is actually needed to manage business and employment relationships.

Organisations will be required to build a transparency framework that re-thinks how they engage with individuals, from contracting and permissions processes to providing clear and comprehensive information on how they handle personal data. The next step is to review contracts with third parties, and include a right of audit in their contracts. As part of this process, there is a huge education element involved. Regular data protection training will of course be required and will have to be extended to contractors and other third parties.

Becoming GDPR compliant will no doubt be a long and laborious task, but will also be a significant achievement, and potentially one of the screening criteria for tenders in the future. Let’s not forget that all businesses handling personal data will be required by law to become GDPR compliant by 25 May 2018, so it’s crucial to start planning and revisiting your data strategy today.