Important: One year until The EU General Data Protection Regulation

Below we bring you key information on a new legislation coming in to effect in May 2018, who it effects and what you need to do.

What?
On 14th April 2016, the European Parliament adopted a new regulation that will replace the 1995 Data Protection Directive. The GDPR (also known as EU 2016/679) covers the protection of a persons personal data, the processing of it and it's free movement. It gives EU citizens greater rights over their own personal data and how it is used by organisations. The new regulations will place a greater obligation of all establishments to protect this data.

When?
As announced in the Official Journal of the EU, the new General Data Protection Regulations (GDPR) will come into force on the 25th May 2018 , leaving just one year for organisations to prepare.

Who it effects?
This new regulation effects ALL industries and organisations, regardless of size, location or sector, that process personal data of people living the EU, in both the private and public sectors. From schools to small businesses, every establishment will be required to comply to the new rules.

What do I need to know?
Data:
Data kept by an organisation must be kept up to date, with inaccurate data corrected or erased. Organisations are only able to hold data which is necessary for the purpose which it is being processed. The reason why this data is being processed must be specific, clear and be for a legitimate purpose (preventing fraud and direct marketing are considered legitimate interests), these reasons should be able to be explained easily. Special protection for children's personal data has also been put in place for the first time. If your organisation collects information on children under the age of 13, you will need parental/guardian consent to process their data lawfully.

Consent :
If your organisation relies on consent from individuals to process their data, it must meet the standards set by the GDPR, which states that organisations must be able to show that consent was given. At the times that organisations collect data they will need to provide clear messaging about the purposes of collecting the data and record how and where they collected consent.

Notification of data breaches
Organisations will need to notify their supervisory authority within 72 hours of any data breach and may then have to notify their customers.

Data Protection Officer (DPO)
Organisations which have 250 or more employees, is a public authority or is involved in large scale, regular monitoring of individuals' data, will be required to designate a DPO (either internally or outsourced). This person should have the confidence, support and ability to monitor data protection and it's compliance with GDPR.

Rights of the Citizens
Anyone who deals with a European controller will have the right to access and rectify their data as well as the right to be forgotten or permanently deleted.

What do I need to do?
To comply with the new GDPR, organisations must embed data protection at every level of their business and incorporate it into their processes. Keep an eye out for our action list, to ensure you comply to the new regulations in plenty of time.


Further Points:
Penalties
In the event of a breach of compliance, supervisory authorities can impose fines of up to 4% of an organisations worldwide annual turnover or €20 million - whichever comes first.

BREXIT
The GDPR will go into effect on the 25th May 2018, with the UK unlikely to leave the EU until May 2019, there will almost certainly be a cross over, it is therefore advised that all organisations comply. It’s important to note that the UK government has indicated it will implement equivalent or alternative regulations, similar to GDPR.