GDPR Assessment

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Act and creates a singular unified regulation for data privacy laws across Europe, to protect all EU citizens data privacy and to reshape the way organisations approach data privacy. GDPR will bring data protection laws up to date and in line with the way our personal data is now held and processed.

The aim is to allow people to understand and manage personal data held on them by organisations by giving ‘data subjects’ more control over the personal data held on them, and simplifying the law across the EU member states.

If you hold and/or process any personal data of any kind, then you must abide by the legislation. The legislation supersedes the existing Data Protection Act 1998 and will apply to UK companies, regardless of Brexit. Not only does the legislation tighten up the rules considerably compared to the Data Protection Act but the fines associated with non-compliance and failure to notify any breaches will dwarf those businesses currently face.

If you fail to follow the basic principles set out in the legislation the data protection authority in the UK – the Information Commissioner’s Office (ICO) – could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater. Should you fail to report a data security breach to both the effected parties and the ICO then the fines can be up to 2% of your annual worldwide revenue, or €10 million, whichever is higher.

In order to prepare for the legislation, you must know what data you hold, why you hold it, where it is held, what you do with it and how it is protected. If the data you hold is no longer needed or used for the purpose you initially collected it, then you must delete it.

In order to comply with the legislation as an ongoing activity you must look at the way you collect data, why you collect the data and how you use it. There must be explicit consent from the individual to collect the data in the first place and once you have stored the data you must then ensure there are robust processes in place as to how you deal with it – including deleting once the intended purpose has been satisfied.

As a company, you need to understand your current position, identify where the gaps are, prioritise and make plans for addressing the gaps and then implement the required changes to ensure compliance. After this point you need to ensure as part of your day-to-day processes and procedures that you continue to work within the legislation and are able identify and act upon any breaches should they occur.