The General Data Protection Regulation
The GDPR is a legal framework that sets guidelines for the collection and processing of personal information
of individuals within the European Union (EU). It was introduced in May 2016 and comes into effect in May
Consumers will have more rights which must be adhered to by organisations:
Right to rectification: have personal data amended if it is believed to be incorrect
Proof of consent for processing data. Permission needed for data of under 13s.
Data Portability: moving data from one company to another.
Right to object to processing of personal data at any time.
Right to erasure: have personal data deleted without undue delay.
- Privacy by design. Organisations must consider how their data processing impacts privacy. Risks need to be recorded and steps taken to mitigate them.
- A Data Protection Officer (DPO) must be appointed if the organisation:
- Is a public authority processing data.
- Has core activities that require regular monitoring of data.
- Processes certain types of personal data, e.g. relating to a criminal conviction.
Enforcement & Liability
Previously, data controllers were liable under the Data Protection Act 1998, however data processors now share the liability. In the event of non-compliance, there are two levels of fines depending on the incident:
- a maximum fine up to €10 million or 2% of global turnover, whichever is higher.
- a maximum fine up to €20 million or 4% of global turnover, whichever is higher.
In the event of a data breach, an organisation must alert their national data protection authority no later than 72 hours after the breach, unless there is no risk to the rights and freedoms of individuals.
If a personal data breach is likely to put the rights and freedoms of an individual at high risk, then the organisation must alert the data subject affected without undue delay.
What details will need to be reported?
- The number of data subjects who are at risk
- Categories of data
- The consequences of the breach
- Data protection officer details/other point of contact
- Mitigation proposals
When must organisations delete personal data?
- If kept longer than necessary for the purpose it was collected.
- Withdrawn consent.
- Objection to the data processing.
- Unlawfully processed data.
Companies are best to prepare for the GDPR as early as they can. The ICO has provided a plethora of information and whitepapers to help companies understand the new regulation and you can download their whitepaper with twelve steps to prepare for the GDPR here.
Where to start?
So what do you need to do to start preparing? It helps to know the standard of your data already using a free data quality report!