Everyone is talking about the EU General Data Protection Regulation, but what is it? How will it effect the small/ medium size businesses? And what do I need to do to comply? These are all great questions and ones that we hope to answer in our series of 3 blogs over the next few months.
What is the EU General Data Protection Regulation?
So, let’s start by identifying what the new regulation is and why it is so important. The EU General Data Protection Regulation is a new regulation which is due to come into force in May 2018, instigated by the European Commission, it will supersede in most cases, older legislation such as the Data Protection Act. It intends to strengthen data protection for individuals within the European Union, giving them back control of their personal identifiable information (termed PII) or information that potentially identifies a specific individual.
Despite the complexity, GDPR cannot be ignored. The nature of the regulation and penalties which may result from non-compliance requires action for any business that holds data about their European employees, customers or partners. This regulation will apply to any company wishing to trade with Europe, so the result of Brexit will not effect this directive, all British businesses will need to take action.
What data does the regulation apply to?
As always the starting point is to work out if GDPR applies to you. Even if it does not, you still need to prove that you have undertaken a review of your business processes according to GDPR. If it does not apply, then this process and decision point must be documented.
GDPR only applies to PII data and who processes it across the organisation. There is major benefit to addressing GDPR, you will have a better overview of your business systems, processes and security which hopefully will foster customer confidence and loyalty by the end of the process.
It is first key to understand whether a specific business area or group is interacting with EU member states and has access to, or is using, personal information. If your organisation does not have any personal information of European individuals then GDPR does not apply to you.
Assuming that you have established that you do need comply with the EU GDPR regulation for some of your information or employees then there are two further distinctions that are important to make. Firstly, do you hold identifiable data for individual customers? This means someone you can identify by name, ID number, location, etc. Secondly, is there sensitive personal data eg: revealing physical or mental health, memberships of organisations, political opinion, criminal offences, etc.
In both of the above cases specific processes, protection and applications need to be developed, documented and implemented which can be verified by audit.
What are the key changes?
The key changes/ points to note introduced by the regulation are as follows:
- If your business is not in the EU but you wish to trade with the EU you still have to comply with the regulation.
- The personal data definition is broader that currently in place.
- To hold children’s data, consent will need to be obtained by a parent or guardian.
- Each organisation will need to appoint a Data Protection officer, if not in place already.
- In the case of a data breach or loss there are stringent notification requirements.
- A new clause that an individual has the right to be forgotten such that purging of all information must be proven.
- The international transfer of data to different parts of an organisation must be approved by the individual.
- The group or person who processes PII data has increased responsibilities with PII data. There may be many data processors in a single organisation.
If you would like some help in identifying what data you have and what changes you need to make then please CLICK HERE to contact us and arrange your FREE 60-minute consultation.
In our next blog post we will be discussing how to gain engagement from senior management to start the process.