General Data Protection Regulation (GDPR)

What will it mean for your business?

What is it?

The EU GDPR replaces the Data Protection Directive 95/46/EC and is designed to:

  • Harmonise data privacy laws across Europe
  • Protect and empower all EU citizen’s data privacy
  • Reshape the way organisations approach data privacy

When will it come into force?

It will take effect in May 2018.

What does it involve?

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.

  • Increased Territorial Scope

GDPR has extended jurisdiction as it applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.

  •  Penalties

Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements.

  •  Consent

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be given in clear and plain language and it must be as easy to withdraw consent as it is to give it. ​

 Data Subject Rights

  • Breach Notification

Under the GDPR, breach notification will become mandatory in all member states and this must be done within 72 hours of first having become aware of the breach.

  •  Right to Access

Data subjects can obtain confirmation from the data controller whether personal data concerning them is being processed, where and for what purpose. The controller should provide a copy of the personal data in an electronic format free of charge.

  •  Right to be Forgotten

Also known as Data Erasure, the data subject can request that their personal data is deleted if it is no longer relevant to the original purpose of why it was collected.

  •  Privacy by Design

Calls for the inclusion of data protection from the onset of designing systems. Organisations that process personal data have a legal requirement to protect it by providing adequate safeguards to mitigate against a security breach. Whilst no one can guarantee complete information security, organisations need to reduce their risk of a possible data breach by ensuring they have sufficient plans in place to ensure business continuity.

 Article 23 calls for controllers to hold only data that is absolutely necessary for completion of their duties and access to customer data should only be granted to those processing the data within the organisation.

Data Protection Officers (DPOs)

The data protection officer (DPO) is a nominated person responsible for record keeping within the organisation. This role is only mandatory for public authorities or those whose core activities require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.

The DPO:

  • Should be appointed based on knowledge of data protection law and practices
  • May be a staff member or an external service provider
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could results in a conflict of interest

How can you prepare for GDPR?

Determining how GDPR compliant your organisation is requires you to look at your current processes and procedures and ensure you have adequate cyber security protection and detection in place.

Genesis work alongside an excellent portfolio of security vendors and can provide solutions that cover six security pillars relevant to GDPR compliance:

  1.  Protecting the perimeter with next generation firewalls
  2. Securing the end point
  3. Deploying encryption
  4. Ensuring email security
  5. Facilitating secure remote access
  6. Providing disaster recovery

If you are confused about how GDPR may affect your business or would like help preparing for GDPR then get in touch.