The Lowdown on GDPR: Part 1
GDPR is one of the hottest topics right, and with good reason. After four years of preparations and debate, GDPR is positioned as the biggest shakeup to the history of online privacy regulations in the EU, and will apply from 25 May 2018. According to the GDPR portal, the new framework ‘was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizen’s data privacy and to reshape the way organisations across the region approach data privacy’. If you deal with personal data, then you will need to comply with GDPR when it comes into place, and this will involve preparations based on a clear understanding of what’s required. The stakes are high for those who are non-compliant when the time arrives, as there are hefty fines for those who have not met its requirements.
But what is GDPR? Is it as scary as it seems? What preparations are required from you? Our three-part blog series will cover everything you need to know in order to start preparing for the European General Data Protection Regulation. We will explore exactly what constitutes as ‘personal data’, as well as the implications of GDPR for SMEs, who may not be sure how they should proceed, or where they should invest their resources, particularly if they’re limited.
What is GDPR and why do we need it?
GDPR stands for the European General Data Protection Regulation, and will apply to throughout the EU (Brexit has no impact on this, and will not exempt British businesses). The new regulation will replace old, outdated data protection legislation (like the Data Protection Act of 1998 and the 1995 EU Data Protection Directive) by unifying all data privacy laws in the EU. The law also aims to update legislation to fit modern-day data practices, protect EU citizens’ personal data, and change how organisations who collect and process personal data use it.
GDPR has over 160 requirements regarding data collection, storage, and usage, as well as clear guidelines on how to deal with personal information. It also requires that organisations report data breaches within 72 hours of the event, and will introduce tough fines for unreported breaches and non-compliancy. In addition to this, GDPR will also give citizens more power to challenge organisations who use their personal data (think of the likes of Facebook and Google, or whenever you access a third-party site that asks for your data). It also gives businesses some clarity on how to operate legally when it comes to dealing with data, and by making the law identical through the single market, it’s estimated that business savings in the EU could amount to a collective €2.3 billion a year.
Not only this, but as the GDPR is a piece of legislation and not a directive (which demands that certain targets must be met, but member states are free to decide how to integrate these into national law), it now ensures that all data protection rules and requirements are the same throughout the EU.
Who does GDPR apply to?
Not everyone will be equally affected under GDPR, but data controllers and data processors will have to adjust their operations to comply.
What are Data Controllers and Data Processors (and what’s the difference)?
The points of distinction between the two roles can be very confusing, and a little unclear. Here is a basic overview, but if you’re still not sure which category you fall into more detailed information can be found here.
- Data controllers determine how and why personal data is processed.
- A Data Processor is anyone who processes personal data, and act on the controller’s behalf but not as an employee, but rather as a service provider or third-party affiliation (e.g. a data analytics provider).
If your organisation currently falls under the 1998 Data Protection Act, it’s likely that GDPR will apply to you. As for international organisations that operate across borders, GDPR also has the element of ‘extraterritoriality,’ meaning that it will still apply to controllers and processors outside of the EU, as long at the data they’re dealing with belongs to residents of the EU.
There’s still time to do your research
The countdown to GDPR is on, but there’s still time to research, plan and ensure that you comply. Our next blog will explore what exactly counts as ‘personal data’, the consequences for non-compliance, and the implications of the ‘One Stop Shop Mechanism’, so make sure you check back for our next post.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.