A Guide to General Data Protection (GDPR). What you need to know
16th October 2017
The General Data Protection Regulation (GDPR) is one of the most significant changes to legislation in recent years. In April 2016 the European Parliament voted to adopt a new data protection law for Europe with regulation coming into effect on 25 May 2018, giving businesses a matter of months to comply with a range of these regulations.
This new legislation is designed to allow individuals to manage their personal data as well as allow businesses to better access a digital single market with a unity of regulations throughout.
What you need to know
GDPR regulation is being designed to strengthen the obligations on those who use personal data, and enhance the rights of individuals and:
What is Personal Data?
The definition of ‘personal data’ under GDPR is the same as the U.K. Data Protection Act: namely information that allows an individual to be identified, either directly or indirectly. However, what can be classified as an ‘identifier’ is more detailed; now including online identifiers such as IP address, location data and genetic data.
Appointing a Data Protection Officer
Companies must appoint a Data Protection Officer (DPO) who will need to:
The role of the Data Protection Officer should be taken seriously. It is not a nominal position to satisfy regulation and it must extend beyond the realm of IT.
DPOs should be well-versed in data, risk, law and compliance but also able to adapt to the ever changing risk landscape of a modern digital world.
The Information Commissioner’s Office also recommends that the DPO reports at board level and is provided with adequate resources to meet all obligations. The GDPR further specifies that the DPO must have ‘expert knowledge of data protection law and practices.
Implementation of GDPR will allow regulators to have the authority to issue fines and penalties equal to 2% of a business global revenue for any violation against security, record-keeping and privacy impact assessment obligations. In addition, violations related to data subject rights and cross-border data could result in fines of 4% of the businesses global turnover.
The financial price of getting GDPR wrong is well documented: losing 4% of turnover would undoubtedly be a board level issue. Mandatory reporting requirements also add new elements of risk: reputational damage and class actions. It will now be easier for traditional and social media channels to publicise failings so transportation companies must be prepared to face the stark glare of media and customer scrutiny if they are found to be non-compliant with GDPR.
Data breaches inevitably can and will happen, but if an organisation has implemented proactive risk management they may be looked on favourably by regulators and protect their reputation. While it may be easy to think of the GDPR as yet another compliance burden, it should be viewed as a means by which to bring your organisation up to speed with the modern digital world.