What is GDPR?
GDPR stands for General Data Protection Regulation. It is a new European regulation that covers data protection and is aimed at improving and unifying the way personal data is currently protected. GDPR will be implemented from 25 May 2018. The European Data Protection Board is an independent body with membership comprising all European data protection authorities and will work to ensure the consistency of the application of the GDPR throughout the EU.
Here we have collected some of the most common questions around GDPR and give clarity as to what it may mean for you.
1. What is considered to be personal data?
‘Personal data’ can mean a vast array of things. In general, it means any type of information that relates to an identified or identifiable ‘natural person’ that allows the ‘natural person’ to be easily identified based on the data such as their IP address, ID number or their physical/physiological/genetic/mental/economic/cultural features or attributes.
2. Who does GDPR apply to?
The GDPR applies to every organisation that processes, stores, or transmits personal data of EU residents. This could be a data controller or a data processor. The main difference between the two is that the controller decides how and for what purpose personal data is processed while the processor acts on the controller’s behalf but both have key roles and obligations under GDPR.
3. What are the penalties for not following GDPR?
When GDPR is enforced, organisations that breach the regulations may be fined either between 2% to 4% of their annual global turnover or up to €20 million, whichever is higher. Frequent breaches of the regulations and failure to address the issue can even result in higher fines of up to €40 million.
4. What key business areas will be affected by GDPR?
GDPR will affect any areas of a business that handle personal data, for example HR, sales, marketing, membership/customer services, IT, finance or legal. There is no distinction or exception between public and private either. Every organisation which has personal data is within the scope. The personal data of employees is also affected by GDPR and will need to be acquired, stored, managed and to the same standards as any ‘natural person’.
5. What are the individual’s rights under GDPR?
As the regulation was created to strengthen the privacy right of EU citizens, it gives greater rights such as to access, erasure or rectification of any data referring to them, along with the right to object to direct marketing, profiling and processing of their data.
GDPR isn’t something organisations should be afraid of as we approach 25 May. Take the right steps to build on your existing data-processing frameworks – the rest should be easy.