7 August 2017
Our Head of Legal, Leon Daniel, has written some useful information on General Data Protection Regulation (GDPR) and what it might mean for your organisation. This is the first of a series of articles on the new Regulation and will cover the steps we are taking at SD Worx to ensure GDPR compliance.
GDPR is a new piece of European legislation that was finally adopted on 27th April 2017 after several false starts. It will come into force on 25th May
2018 across Europe, and it will apply not only to any organisation situated in the EU, but also to any organisation that processes the personal data
of EU citizens regardless of where they are located.
The key difference of the GDPR compared to the existing data privacy laws is that it also applies to data processors who will be directly liable with data
controllers (owners of data) for GDPR breaches.
GDPR will apply in the UK regardless of Brexit. The Queen’s stated the Goverrnment's plans during the opening of parliament where her majesty said:
A new law will ensure that the United Kingdom retains its world-class regime protecting personal data…
and we expect that the Repeal Bill will be used to bring GDPR into law for the UK.
GDPR takes many of the concepts under existing privacy laws and enhances and extends them. Existing data subject rights, such as the right to receive a
copy of the data and the right to rectification are extended for example with shorter time limits for compliance.
There are also a set of new data subject rights such as the right to erasure (not quite as broad as the much-discussed right to be forgotten), and data
portability.
Other big changes include a right to self-report any breaches, special rules for processing children’s data, new categories of sensitive data and the requirement
to give specific information to individual data subjects about what will happen to their data.
The supervisory authorities have powers under GDPR to order organisations to pay compensation to data subjects.
They also have the power to administer substantial fines against both data controllers and data processors. The numbers are high (maximum being the higher
of 4% of global turnover or €20m) and so have grabbed attention. However, whilst the size of fines is intended to be “dissuasive”, the authorities
are also required to take into account the behaviour of the organisation and to fine accordingly.
Therefore it is right and proper that our reaction to the legislation should be to take a broad risk-management approach and to invest in our security.
As you start looking into GDPR, you will find that it will impact more of your organisation than you originally thought. It will also take you longer to
get compliant than you can imagine. This article will undoubtedly raise more questions than it has answered, but what is clear is that you will have
to make investments in your security systems and processes and it is key to ensure that these investments are made in the right areas.
In this series of articles, I will share with you the journey that we are taking here at SD Worx to ensure GDPR compliance.