General Data Protection Regulation (GDPR): Are you ready for the new law?
If not, you are not alone. Recent research by Compuware Corporation shows that the majority of businesses surveyed are not yet ready with a plan to respond to GDPR.
As HRIS consultants working regularly in the EU with client's sensitive data we are very aware of its importance and potential impact on organisations. So here is a quick overview of issues we think are worth noting.
What is it GDPR?
It is 220 pages of new data protection legislation designed by the European Commission to strengthen and unify data protection for individuals within the European Union.
It was adopted on 27 April 2016 and will come into force on 25 May 2018. Once in force, it will require every organisation that offers products or services to EU citizens, as well as those handling data of EU citizens, to adhere to a strict set of data privacy and security measures.
And do not let the Brexit issue muddy the waters, the new legislation will be here in May 2018 whatever the Brexit timetable is so best get prepared.
Why is GRPR Important?
The definition 'personal data' has been extended which has far reaching consequences for business but really the main reason it is important and you need to take note, is that this new legislation has teeth! The fines are scarily massive for non-compliance - up to €20M or 4% of the offending company's global annual revenue, whichever is higher.
This will be enforced in the UK by the ICO (which will no doubt be eager to plug the gap their income from the lost data register fees).
GDPR's Key Issues to Consider:
- Implicit consent now required with an onus on organisations to demonstrate that consent has been given (no more small print tucked away or pre-ticked boxes and it can't be inferred from pre-ticked boxes or inactivity)
- Right to be forgotten by organisation (can you enact this easily given that data may be fragmented and difficult to find)
Data security breaches reporting will be required to reported to the ICO within 24 hours - Data Protection Officer needs to be appointed that is properly trained for the role and has direct access to the board / senior management team
- Subject access request - the current £10 fee payable is to be abolished and the 40 day delivery period reduced to 30 days.
Going back to the "personal data" definition. This has been expanded in the new legislation as personal data now means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In conclusion, it is time to get ready for the coming legislation changes as data protection and how you manage the processes become increasingly important.