WHAT IS IT AND WHEN IS IT COMING?
The General Data Protection Regulation (GDPR), agreed by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the law regulating how companies must protect EU citizens’ personal data.
Those companies that are already in compliance with the original directive through the Data Protection Act 1988 must ensure that they comply with the new requirements of the GDPR before it becomes effective on 25th May 2018 and that includes UK firms before you mention BREXIT.
The GDPR applies to ?controllers? and ?processors?. The definitions are broadly the same as under the DPA ? i.e. the controller says how and why personal data is processed and the processor acts on the controller?s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
However, it goes further than the Data Protection Act including introducing measures including:
- restricting the use of consent as a justification for processing data;
- demonstrating compliance through the documentation of data processing activities;
- adopting organisational measures for data protection such as policies and practices; and;
- providing more information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data.
WHAT IS REGARDED AS PERSONAL INFORMATION?
Personal information is defined as ? Name, address, phone number, bank/credit cards, email address and IP address.
Importantly, as part of this new European legislation, if your data is breached you must report it within 72 hours otherwise you may be fined by up to 4% of your Company?s revenue.
PROCESSORS & CONTROLLERS
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
If you are a controller, you are not relieved of your obligations where a processor is involved ? the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
This can sound enormously worrying but at its heart it is fairly straightforward and not vastly different to what is already in place.
In a nutshell, GDPR means that you must be aware of where your Company?s data is stored, who has access to the data? (and more importantly) who should have access to that data?
More news to follow on this tricky area for business.
CALL THE PINNACLE PARTNERSHIP
NOW FOR ADVICE
0330 323 0435