The General Data Protection Regulation implementation date is set for 25th of May 2018 and almost every company based in the EU or operating in the EU has been putting a lot of effort to demonstrate GDPR compliance. Unfortunately the GDPR requirements can be interpreted many ways and it seems that many companies are struggling to understand what is required from them to achieve GDPR compliance.
This post will provide you with a background of the GDPR and what things you need to be aware of in order to demonstrate GDPR compliance.
The General Data Protection Regulation will be effective from 25th of May 2018 and its main purpose is to regulate the use of personal data within the EU.
The new regulation will replace the Data Protective Directive (1995 - Directive 95/46/EC). The final text for the new legislation was adopted on 14th of March 2016. A detailed timeline of the events can be found here: GDPR Timeline of Events.
The GDPR highlights 2 key parties to which the new regulation applies:
In the case that you are a processor you are obliged to maintain records of personal data and processing tasks, and you carry the responsibility in the case of a breach.
If you are a controller you are not relieved of your obligations while having a processor. The GDPR contains regulations towards the controllers to ensure your contracts/agreements with the processors are GDPR compliant.
The new regulation is applicable to companies operating within the EU and to companies that offer services to individuals in the EU.
We have put together some high-level guidelines on how to prepare for GDPR compliance. They are aligned to the guidelines provided by the Information Commissioner's office (ICO):
Assessment: To begin with, you will have to identify the GDPR impact in your respective area and potential compliance issues that may arise.
Documentation of information you hold: You will have document what kind of personal data you hold. You will have to identify what is the source of the data, how the data is used and if it is shared with third parties. Specifically, the new regulation requires that you maintain clear records of all of your processing activities. The GDPR's accountability principle states that organisations should be able to show how they comply with the data protection principles and document the types of personal data they hold and how they process the data. More details can be found here: ICO: Accountability and Governance.
Rights of the individuals. Based on the GDPR individuals have the following rights:
Accountability and Governance. This area highlights changes and measures required to be in place in order to achieve GDPR compliance. For example:
Implementation of data protection policies
Documentation of processing activities
Completing internal audits on data security and protection
Data security enhancements
More details on accountability and governance can be found here: [ICO: Accountability and Governance](https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/ "ICO: Accountability and Governance").
Consent. This area is about giving individuals the choice to decide how their personal data will be processed and used. Clear guidelines should be created and used to obtain consent from individuals. In addition, a clear process for individuals should be in place to revoke consent at a later stage if required.
Minors and children. The GDPR is introducing special protection for children's personal data. Every company is required to put in place processes to identify an individual's age and to obtain parental or guardian consent for any data processing activity.
Data Breaches. Every company should have in place procedures to detect, report and investigate data breaches.
Data protection impact assessments. A Data Protection Impact Assessment (DPIA) should be completed if data processing may result in a high risk of compromising personal data. ICO has put together some checklists that can help you decide when to complete a DPIA. These can be found here: ICO: DPIA.
Data protection officers. A data protection officer (DPO) should be appointed if you are conducting processing activities. The role of the DPO is to:
International transfers. If a company operates in more than one EU country it should determine its lead data protection supervisory authority and document it. Guidance on how to identify your leading data protection supervisory authority can be found here: EU: Article 29.
Supervisory authorities from each EU country will be responsible for imposing fines for non-compliance with the GDPR. A company will be subject to administrative fines up to 20 million Euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The UK government said that it would implement the GDPR legislation and the UK's commitment to GDPR was part of the Queen's Speech in 2017. As the UK is still part of the EU, the GDPR is effective for all companies operating in the UK or those who have data subjects in the UK.
Some useful material on GDPR can be found here:
Regulation (EU) 2016/679 of the European Parliament aon the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) Here you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) as a neatly arranged website. Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements.
Related articles from our blog, read on