GDPR – General Data Protection Regulation
The GDPR replaces the original Data Protection Directive 95/46/EC. As an EU Regulation requires no legislative act, it automatically becomes law on 25th May 2018. We are currently in the middle of a 2-year lead-in. This is the grace period! It’s time for companies to take action, with only 49 weeks to go.
The regulation’s main purpose is to give EU citizens back control of their personal data. When the Data Protection Directive was originally enacted in 1988 and later amended in 2003, there were no social network sites like Facebook or twitter. This regulation brings the law up-to-date in terms of the modern cyber world we now live in and while it was written with internet-based organisations in mind, it has knock-on effects for everyone. The GDPR has caught the attention of organisations, large and small, throughout Europe, as this law comes with teeth, with fines for a data breach of up to €20 million or 4% of global turnover, whichever is greater.
Who does is apply to?
Any organisation that controls or processes personal data. So, what is personal data? The EU have described it as “anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
First steps to being prepared for GDPR
The Data Protection Commission’s website carries advice for getting ready to be GDPR compliant. These are the first 3 steps of their 12-step readiness programme:
- Becoming Aware
Find out what the requirements of GDPR are & get plans in place. Begin by considering what areas may cause compliance issues.
- Becoming Accountable
- Make an inventory of all personal data you hold. Then examine:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it in terms of encryption & accessibility?
- Do you ever share it with third parties?
Don’t forget to consider the likes of hard copy company records in storage, CCTV security camera footage, backup tapes & replications, and information obtained by cookies.
- Communicating with Staff & Service Users
Keep service users fully informed of how you use their data.
Review all data privacy notices.
If you haven’t examined your exposure to GDPR yet, begin by creating a table of your data sets, listing where they are held, the format they are held in, and how long they are held for.