So… what’s this GDPR thing all about?
- EU GDPR stands for the European Union General Data Protection Regulation.
- It is a new law being brought into effect on 25th May 2018. It applies to anyone who works with the data (even just names) of any person within EU (yes, including Britain).
- It replaces the now ageing Data Protection Act, which was based on the Data Protection Directive.
- The DPD predates the widespread use World Wide Web, and so is ripe for updating to deal with the modern movement of data around the world.
- Because the DPD was a directive, it was left to each country in the EU to implementing it as they saw fit. 28 countries implemented it in 28 slightly different ways… Because the GDPR is a regulation it immediately takes force in all countries in the same way – making it much easier for organisations to do business across national boundaries.
- The UK Government has already said that we’ll implement the GDPR here post-Brexit.
- According to PWC (speaking at the GDPR Summit in October 2017) more than 90% of organisations will not be ready to implement the GDPR by 25th May 2018.
- That means that if you can get your organisation into the remaining 10%, you’ll have a real competitive advantage.
- If you get this wrong, the potential fines are eye-watering – up to 4% of an organisations global annual turnover.
- The GDPR sets out when an organisation needs to appoint a Data Protection Officer – that’s essentially if you need to:
- Monitor the data of people (including via IP addresses) on a large scale, or
- Process “Special Category” data on a large scale (that’s things like beliefs and union membership, sex and health information, criminal data, genetic or biometric data and suchlike), or
- Process data because you’re a public body
A DPO would need specialist training and skills for their role.
- The GDPR also says that organisations need to demonstrate their compliance with the GDPR. A major component of this will be in providing training to all staff in the GDPR.
- The GDPR sets out that data must be protected “By Design” and “By Default”. In other words, every time a new system is put together, or a process is changed, you must consider data protection at the start and all the way through the process.
- In order to achieve this, the GDPR sets out the need to conduct Data Protection Impact Assessments (or DPIAs) which assess what’s happening to the data, and what the risks are.
- The GDPR uses 6 essential principles to provide the foundations for the Regulation. Breaking these principles is one of the ways you can get your name into the news by attracting the largest fines.
- The GDPR gives a new set of rights to people – if you’ve ever been fed up with being offered a PPI claim, this is good news for you.
This is just an overview of some of the key points. If you’d like to know more, just ask us.
If you want to organise training for all your staff, we offer a 90-minute seminar (and can do four in a day) for large groups. If you want a more in-depth briefing for teams who work with data on a regular basis, we do that too. Click here to find out more about our GDPR training programmes.