GDPR: What You Need to Know
With the onset of the European Union General Data Protection Regulation (EU GDPR) looming on 25th May 2018 and about to supersede the Data Protection Act, organisations are sleepwalking into the possibility of being fined up to to €20 million or 4% of an organisation’s worldwide turnover.
The primary objective of the regulation is to provide individuals more control over their personal data and to protect how their data is processed. The regulation:
- Relates to many aspects of personal data including: name, home address, photos, email addresses, bank details, posts on social networking websites, medical information, or a computer’s IP address;
- Is designed to harmonise data privacy laws across the EU, to protect and empower all EU citizens’ data privacy and to reshape the way global organisations approach data privacy;
- Applies horizontally to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU;
- Replaces the EU Data Protection Directive 95/46/EC (DPD);
- Will cause an update of the UK Data Protection Act 1998 (DPA);
- Relates to many aspects of personal data; and
- Will not be affected by BREXIT.
Individuals have rights – can you meet them?
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Responsibility and Accountability in the Digital Economy
GDPR impacts all aspects of an organisation, from organisational design, technical architectures and technologies used to properly identify, classify and extract personal data. Relationships with customers, vendors, and service providers will need to change to accommodate the GDPR. With less than one year to implement a GDPR strategy, doing nothing is not an option. The cost of an infraction can result in fines of up to €20 million or 4% of an organisation’s worldwide turnover. The regulation applies to data processors and data controllers who are either located in the EU or provide goods and services to individuals in the EU.
How do I know my organisation is ready for GDPR?
Useful information including checklists are available at the www.ico.org.uk website to enable you to check your readiness (See https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf ).
However knowing you are or not ready is only the first step. How do you ensure you can actually execute on your responsibilities?
Some of the practical and high cost challenges organisations will be facing to help meet their challenges include:
- Mining and searching disparate data sources for target documents that are at risk for personal data leaks;
- Classifying documents into predefined categories for easy review;
- Identifying and cataloguing instances of personal data;
- Extracting personal data, feeding a workflow or alerts to its presence; and
- Setting the disposition of a document containing personal data—archive, delete, secure, and/or move
Talk to CoolHarbour to understand how to quickly put into place automated processes to ensure your data responsibilities can be met cost effectively and quickly. Contact Faraz Khan (firstname.lastname@example.org) for more information on how we can help.