The GDPR: What You Need to Know

With new data regulations coming into law in 2018, we thought it was worth giving an overview of the coming changes, cutting through the jargon to keep you ahead of the curve.

The Data Protection Directive (DPD) was introduced in 1995, to protect EU citizens and their data at a time where the internet and enterprise software systems were in their commercial infancy.

A lot has changed since then, and the European Commission has approved a new set of regulations for data handling, known as the General Data Protection Regulations (GDPR), which will be coming into effect in May 2018.

The GDPR – Overview

For companies acting as data handlers, the definition of which includes, customer, employee and pension related data, the GDPR will give increased responsibilities on their part to the individual, around access, breach notifications, consent, deletion and the right to be forgotten.

That’s not the whole picture. Your data handling processes should consider data protection as fundamentally important, from design of new products, services and systems through to keeping detailed records of data transfers and transparency as far as your data handling policies go.

Although the GDPR is a European policy, it has worldwide implications and impact. If you are a company holding EU Citizen data, you are subject to the new regulations. It’s key not to consider the GDPR as a regulation that applies to European companies, but instead to recognise it as a regulation that protects European Citizens globally.

Don’t make the mistake of thinking that Britain’s exit from the European Union will mean these regulations will not apply. The Government has confirmed that the GDPR will become law, and will look later at making changes to data regulations.

It’s almost certain that some of these changes will affect your company and the way you handle data. The scale of the potential penalties for non-compliance with the GDPR is going to be considerable, with the highest penalties for consent related issues. This includes a fine of up to €20M or 4% of the offending organisation’s turnover – whichever is greater.

With the clock ticking on the new regulations, you might notice existing sources of data verification and similar services disappearing as providers consider the implications of GDPR compliance. As data verification inevitably gets more difficult, the best time to conduct a data audit and begin implementing your changes is now.

Find and document all your data, and all the contexts in which it exists. What do you have? Where is it physically located? Who has access to it, who uses it, and how is it used?

These are all questions you need to be asking and the more data you have – i.e., the more databases you have – the more difficult it is going to be to be GDPR compliant.

Practical steps you can take:

  • Ensure that your organisation is fully aware of GDPR
  • Consider increasing security
  • Devise new approaches to monitoring usage and transmission of data
  • Conduct an access audit to establish who can see what
  • Ensure you’re using well-established authentication codes and highly secure passwords, and that they are being regularly updated

Ultimately, the financial, legal and ethical obligation for correct application of the General Data Protection Regulations lies with the companies that hold that data.

The GDPR is going to be a major shake-up and moving towards compliance may be a significant and complicated project. The sooner you make a start, the better.

We’ve not scratched the surface with this small overview of the GDPR. The best place to make a start is the online GDPR portal. The Information Commissioners Office also has a wealth of information on the changes.