The new European General Data Protection Regulation will come into effect on May 25th 2018.
Immedis will publish a series of blogs, with the aim to share useful information that can help you become more aware and prepared for the new legalisation. In the first of this series, we look at what exactly GDPR is and why it is important.
What is GDPR?
GDPR is a new European regulation that will come into effect on May 25th 2018. All businesses and organisations that handle personal data of EU citizens will have to comply with the General Data Protection Regulation.
This is the biggest change to Europe’s data protection laws in over 20 years. Since the rules were originally established in the 1989, the amount of digital information that is created, gathered, and stored has increased massively, which prompted this huge overhaul of the European data protection laws.
The new rules aim to guarantee consistent and effective protection for EU citizens personal data. Individuals will have the right to ask for access to any data held on them and request for it to be corrected, removed, or destroyed (dependent on legal requirement of maintenance).
GDPR will ensure free flow of personal data across the EU and will eliminate different views, interpretations and applications across the EU. It will protect the fundamental rights and freedom for everyone.
What is Personal Data?
Personal data is any information that relates to an identifiable person, i.e you can work out who the person is from the data. This means any data that identifies or can be used in conjunction with other data, to identify any living person is considered personal data. This includes but is not confined to:
- identification numbers
- online or physical identifiers
- social, psychological, medical, economic, cultural information
- genetic/biometric information
Who is accountable for GDPR?
In short, anyone involved with handling personal data. There is no escaping accountability under GDPR.
There are two key terms to define individuals involved with personal data.
- Data Controller – an individual or legal person, public authority, agency or other body that controls and is responsible for controlling the content and use of personal data.
- Data Processor – an individual or legal person, public authority, agency or other body that processes personal data on behalf of the controller. This does not include employees of the data controller who process data in the course of their employment.
Many organisations will also have to consider Sub Data Processors. This includes ICPs, vendors, third parties, contractors, etc.
The new laws make both data processors and data controllers liable for GDPR.
Why is GDPR important?
The right to privacy is a Fundamental Human Right. Many companies and organisations process personal data for large amounts of individuals. This data includes personal, financial, and in some cases medical and other sensitive details. Organisations are trusted with this information and have a moral, ethical and legal obligation to ensure its safety and confidentiality.
What happens if you are not compliant?
Failure to comply with GDPR can result in fines of up to 20 million, or 4% of turnover – whichever is greater. Other repercussions can include lasting reputational damage and suspension of data flows for a defined period – i.e organisations stop processing.
GDPR will change the way every business and organisation handles and processes information.
Everyone is accountable and it is crucial that everyone in an organisation is aware of their obligations and responsibilities in how they collect, use, and protect personal data.
Review your organisation’s systems and processes – identify any problems areas now so you are prepared and fully compliant for next May.
Stay tuned for our next post, where we will discuss ‘The Internal Impacts of GDPR for Organisations.’