The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is an EU regulation. The European Parliament, the Council of the European Union, and the European Commission use this regulation to increase data protection for everyone in the EU.
The aim of the GDPR is to enable individuals within the EU to control their personal data. In addition, the GDPR simplifies the regulatory environment for international businesses by making this an EU-wide regulation.
Coming into effect on 25th May 2018, this regulation is applicable to all businesses in the UK. Irrespective of Article 50 being triggered by the UK government and leaving the EU (as Brexit is a 2-year process), all businesses must comply with the GDPR before this date.
The GDPR regulation will replace the data protection directive from 1995, which regulates the processing of personal data within the European Union. Already a law, the GDPR will end its two-year transition period on 25th May 2018.
The GDPR applies to all business who have data on UK or EU individuals. This includes every company in Europe as well as every company that trades or processes personal data in the EU. The GDPR extends this to cover those who utilise personal data directly or indirectly with Europe.
Companies that fail to comply will face potential criminal convictions and damages in court cases. Additionally, depending on the infringement, companies can be fined up to:
1. €10 million or 2% of annual worldwide turnover of the preceding financial year, whichever is higher
2. €20 million or 4% of annual worldwide turnover of the preceding financial year, whichever is higher
From researching, studying and learning all about this new regulation, JVR Consultancy realise that all sectors must learn new disciplines. This includes lawyers, IT professionals, and management. In fact, all data flow processes need to be completely understood, defendable, self-disciplining and regulator- proof. This new regulation will affect every company in the UK/EU, not to mention every global company doing business in the European Economic Area.
The new EU reform regulation aims to:
- Reinforce the fundamental rights of the individual – privacy by design and by default
- Strengthen the EU internal market through new, clear, and robust rules for the free movement of data
- Ensure consistent enforcement of these rules
- Set global privacy standards
- Safeguard a golden standard for privacy across all industries
Due to this, each company will need to make changes and understand the following:
1. Data breaches
2. Risk register
3. Privacy communication
4. Individuals’ rights
5. Consent of supplier & client
6. Subject access requests
7. Staff awareness
8. If relevant – data concerning children
9. Privacy by design and privacy impact assessments
10. Data protection officers
11. International – if your organisation operates in more than one EU member state
Some companies believe that this is an IT department issue. However, the GDPR is not just focused on IT. In fact, of the 98 Articles in GDPR, less than 5 deal with IT. GDPR is about fundamental rights, freedoms, fairness, and vital interests. On that note, do not allow your IT supplier or provider deal with GDPR as GDPR has very little to do with IT.
For a thorough insight into the impact the GDPR will have on your business, please contact our certified advisory team on 01628 56 52 56.
Our GDPR consultants cover the whole of the UK to provide an extensive free GDPR Gap Analysis to support your transition into becoming GDPR compliant.