25 May 2018 has now come and gone and the new EU General Data Protection Regulation (GDPR) is in full effect. Replacing the Data Protection Directive 95/46/EC, the GDPR is designed to standardise data privacy laws across Europe.
The GDPR comes with rigorous new requirements on obtaining consent for processing personal data, with heavy fines being the consequence for non-compliance. The definition of ‘personal data’ has a broader scope than perhaps initially imagined. It is essentially anything that can be used to directly or indirectly identify a living individual. Qualifying personal data extends from a name, photo, email address or bank details to posts on social networking sites, medical information or a computer IP address.
Controlling and minimising data breaches is a key objective of the GDPR – as highlighted in the new directive that all data breaches that “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of first having become aware of the breach.
With such specific conditions around the collection, usage and maintenance of personal data, and the management of security breaches, it is important that organisations fully understand what the GDPR is actually asking of them. It is only with clear and confident knowledge of the new requirements that data and processes can be reviewed and adjusted to avoid fines and maintain customer and stakeholder confidence.
GDPR compliance is an ongoing process and should utilise a range of governance, risk and assurance capabilities, technical and data protection skills. Whilst we are not providing specific client services around the GDPR, we have undertaken a full review of our own processes and will share our knowledge and resources where we are able.
With the right consent, proper procedures and ongoing accountability for personal data, organisations can be confident that they are meeting the new GDPR standards.
Educate senior management and employees on the changes that the GDPR has introduced and how this impacts the way personal data is processed within an organisation.
Assure the right procedures are in place by reviewing personal data held, how it is stored and who has access to it.
Identify the data that is being processed on the basis of consent and ensure there is a right to withdraw – question if this meets the new GDPR standard.
Create risk, policy and procedure environments that ensure a business is able to operate effectively whilst still remaining compliant.
Manage GDPR objectives and continue to update a plan of action that is appropriate and that can be realistically maintained.