What is GDPR?

December 8, 2017

The new law in a nutshell

May 25 2018. Make a note of the date.
If you run a business or organization that collects, controls or processes personal information, you hopefully have a robust set of protocols in place for protecting that information, in compliance with your country’s Data Protection laws. From May 25 2018, your legal obligations will be stepped up significantly, in line with a new EU regulation called the General Data Protection Regulation (GDPR).

These will be the biggest changes to the EU’s data protection laws in two decades. Since then, there has been a quantum leap in the volume of personal data collected and stored online and the risk of misuse or misappropriation of that data has multiplied. The new regulation is designed in response to that growing risk, to ensure the protection of individuals and their privacy.

The GDPR was adopted in April 2016, giving those affected by it two years to become compliant, though you may not have heard about it until recently. As the deadline draws nearer, the rush to comply has become something of a stampede, inducing panic and rumors of crippling fines. If you want to read the full 99 articles of the 88 page document for yourself, you’ll find it all here. Alternatively, you can follow our company page to acquaint yourself with the parts that affect your business or organization.

Who the GDPR affects

The GDPR applies to the processing of personal data by companies or organizations having their establishment within the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data by companies and organizations not established in the EU if they offer goods or services to individuals within the EU or monitor their behavior that takes place in the EU. The broad territorial scope of the GDPR makes it the first ‘global’ data protection legislation, affecting companies all over the world.

A commonly held belief is that it’s really only an urgent matter for large companies. This is not the case. Rumors of multimillion euro fines being imposed on big businesses that have failed to meet their data protection obligations have been greeted with a mixture of fear and a blasé assumption that such sanctions could surely only apply to the giants. As a result, the real problem area lies among SMEs. Just over a year ago, a survey conducted by Dell found that 82% of SMEs knew little or nothing about the GDPR.

The truth about those GDPR penalties

The whole point of the GDPR is to make businesses and organizations work a bit harder on behalf of the individuals whose data they hold and use. The force of the law, therefore, is firmly on the side of the individual. The new regulations will make it easier for individuals to bring private claims against businesses and organizations that fail to fulfill their obligations, and to sue in cases where genuine damages have been suffered as a result.

On top of that, the authorities will have the power to impose harsh financial penalties in cases where a business or organization has failed in its data protection duties. The maximum fine is €20million or 4% of turnover (whichever is the greater). The more serious transgressions that are subject to the maximum fine include failure to process individuals’ data according to the basic principles of the GDPR, infringement of the data subject rights or cross border transfer of personal data that does not satisfy the GDPR rules.

However, as the GDPR is designed to steer businesses into line, rather than drive them under, it has been stated by some national authorities that the application of these fines is only likely in cases of repeated offending, and that a stern warning is the more likely action for first offences.

Don’t let this make you blasé, however. The reputational damage of a data protection breach can be just as crippling, if not more so, than a fine.

So what are the main changes?

It begins with the collection of data. There are separate regulations for personal data, e.g. name, address, email address, phone number etc., and sensitive personal data, e.g. religious, sexual, political, genetic etc. In all cases, you will have a clear responsibility to obtain consent and an ‘opt in’ before collecting information. That means stating very clearly what information you’re gathering, how you will store it and what you intend to use it for.

The GDPR demands much more rigour in the way you store and process data. You must be able to demonstrate your methods and keep accurate documentation. If an individual requests the release of their data, you will be expected to provide this free of charge and within one month.

Most businesses and every public authority will be required to have a designated Data Protection Officer (DPO), who has oversight of the entire data protection operation and reports to the board. The DPO will also be required to report to the supervisory authorities any incident that could have a detrimental effect on the data subjects.

How to prepare for GDPR

These, together with the new fines and a set of special measures for the protection of children’s data, are the headline changes being brought in by the GDPR, but the important thing is to make sure you are familiar with all the changes that apply to your business or organization.

Thorough documentation will be essential. You will need to have a data protection policy, a DPIA and relevant documents showing how the data you hold is processed. Communication is also key, both in ensuring your staff (especially senior management) are aware of the GDPR and your data protection obligations, and in maintaining your data protection policy.

If this all sounds overwhelming, don’t worry. Our CCQ compliance tool is designed to help you put in place and manage all the documentation, communication and monitoring you need to make sure you comply with the GDPR. And the good news is, if you’re already compliant with the current data protection laws, the transition to GDPR will be painless.  
Posted by the CCQ Team.

[Disclaimer] This material is intended for general information purposes only and does not constitute legal advice. The views, thoughts and opinions expressed in this article are solely those of the original authors, and do not necessarily reflect the official policy or position of Origo, or any other entity.