GDPR comes into effect on May 25, 2018. It has been proposed by the European Union and has been developed to strengthen and unify data protection laws, however, it impacts organisations all around the world including USA & Australia.
This program was planned back in 2012 when the European Commission set plans for data protection reform across the European Union in order to make the EU “fit for the digital age”.
The digital future of Europe can only be built on trust.
– Andrus Ansip, VP, Digital Single Market
So this is what you need to know.
What it stands for.
General Data Protection Regulation.
What it actually is.
It is a reform with a set of rules designed to give individuals control over their data. This will simplify the regulatory environment for business so both businesses/organisations and human will benefit from the digital economy. It has been built to be centred around individuals – with a hefty responsibility on organisations, which will result in transparency and accountability.
Who it applies to.
GDPR applies to all organisations around the world that hold data belonging to individuals from within the EU and also those who offer products or services to customers or businesses in the EU. This includes end users, customers and employees. Data controllers and data processors have never been more critical. All organisations will need to ensure they have the skills and staff necessary to be compliant with GDPR legislation.
The positive impacts for individuals and businesses.
One big factor of GDPR is that individuals will be able to control and delete their own data. Individuals will have access to their own data and it’s use. Plus they’ll know when their data has been hacked. Organisations will have to notify the appropriate national bodies as soon as possible to ensure an individual can take appropriate measures to stop their data being misused. A breach notification must be delivered directly to the individual affected.
Giving individuals more control, GDPR brings in “the right to be forgotten” – allowing individuals who no longer want their data processed (as long as there’s no need to keep it), then it’ll be deleted. The unified EU data legislation of the GDPR should bring benefits to businesses. The expectation is that it will make it simpler and cheaper for businesses to operate within the region.
What “personal” data is included under these rules.
Names, address, photos, DOB, health records or financial details. Also, IP address which includes sensitive personal data which might be genetic or biometric.
What compliance means.
Organisations must ensure that any data they gather on humans is gathered legally and protected, ensuring it cannot be misused or exploited. And if it is, they will face (large) penalties, as in, 4% of their total worldwide turnover. Companies must be compliant, even if their individual country laws and Data Privacy Acts differ to the GDPR. Therefore, organisations trading in the EU need to ensure they have an individual charged with the responsibility to be compliant.
And the risk for non-compliance is high.
There are reputation and financial risks. Fines from EU$20m to 4% of turnover combined with potential backlash from media and social could apply, to any organisations who don’t comply.
The key is making sure that as a business, you’re prepared and have the right partners on board to ensure compliance. As an individual, the GDPR will bring a far greater sense of surety to know exactly how safe your data is, in the EU, or it’s use by any organisations working within the EU.
Now is the time.
A recent PwC survey identified that of the executive survey (across a global spectrum), only “11% said their companies have now finished operationalised preparations”. Of the companies surveyed, it was also recognised that “36% said they have just started the assessment process” – meaning their journey toward GDPR readiness is only just beginning. There is a risk that companies will not be fully compliant by the looming deadline of May 2018.
- If you hold data on EU residents, GDPR will apply to you. If you hold, control or process personal data.
- It will be in effect from 25 May 2018.
- “Data” includes personal information – names, addresses, email, social posts, web browsing, medical information or a computer’s IP.
- If you do not comply, you are at risk. Huge risk. EU$20m to 4% of turnover (whichever is higher)… plus reputational risk.
- Now is the time.