What is GDPR?

GDPR is a new piece of European legislation that was finally adopted on 27th April 2017 after several false starts. It will come into force on 25th May 2018 across Europe, and it will apply not only to any organisation situated in the EU, but also to any organisation that processes the personal data of EU citizens regardless of where they are located.

The key difference of the GDPR compared to the existing data privacy laws is that it also applies to data processors who will be directly liable with data controllers (owners of data) for GDPR breaches.

GDPR will apply in the UK regardless of Brexit. The Queen’s stated the Goverrnment's plans during the opening of parliament where her majesty said: A new law will ensure that the United Kingdom retains its world-class regime protecting personal data… and we expect that the Repeal Bill will be used to bring GDPR into law for the UK.

GDPR takes many of the concepts under existing privacy laws and enhances and extends them. Existing data subject rights, such as the right to receive a copy of the data and the right to rectification are extended for example with shorter time limits for compliance.

There are also a set of new data subject rights such as the right to erasure (not quite as broad as the much-discussed right to be forgotten), and data portability.

Other big changes include a right to self-report any breaches, special rules for processing children’s data, new categories of sensitive data and the requirement to give specific information to individual data subjects about what will happen to their data.

The supervisory authorities have powers under GDPR to order organisations to pay compensation to data subjects.

They also have the power to administer substantial fines against both data controllers and data processors. The numbers are high (maximum being the higher of 4% of global turnover or €20m) and so have grabbed attention. However, whilst the size of fines is intended to be “dissuasive”, the authorities are also required to take into account the behaviour of the organisation and to fine accordingly.

Therefore it is right and proper that our reaction to the legislation should be to take a broad risk-management approach and to invest in our security.

As you start looking into GDPR, you will find that it will impact more of your organisation than you originally thought. It will also take you longer to get compliant than you can imagine. This article will undoubtedly raise more questions than it has answered, but what is clear is that you will have to make investments in your security systems and processes and it is key to ensure that these investments are made in the right areas.

In this series of articles, I will share with you the journey that we are taking here at SD Worx to ensure GDPR compliance.