As of 25 May 2018, the EU introduces new General Data Protection Regulations. It’s not just all EU members states that must comply – any company anywhere in the world that holds data for EU citizens electronically will also have to be aware of the new rules and conform to them.
What is GDPR?
GDPR stands for General Data Protection Regulation. The GDPR is an attempt to harmonise rules and boost data protection and security for European Union citizens.
When does it come into effect?
GDPR is enforceable from 25th May 2018.
What is GDPR?
Consent needs to be explicit. Citizens will be able to ask tough questions about what is happening with data held on them. This applies to “data controllers” (organisations collecting personal data, for example IPAF is deemed to be a data controller with regard to training candidates), and “data processors” (the outfits that process the data on behalf of data controllers, for example cloud service providers).
Systems will need to be retooled. Organisations will need to show that they have built in privacy to workflows and processes –for example by scrambling identity information as it is input to a system –in an approach sometimes known as Privacy by Design.
Any breach will need to be disclosed. Data controllers that experience a breach of personal data privacy will need to report it almost immediately and may also have to notify individuals affected.
Erasure becomes a universal right. Sometimes known as “the right to be forgotten”, this allows individuals to request all personal data related to them is deleted.
Who does it apply to?
GDPR is designed to protect EU citizens and as such all companies that handle EU citizens’ data will have to be aware and comply. If you or a third party you authorise to handle data on your behalf are not compliant, then hefty fines may apply – up to €20 million, or 4% of global turnover, whichever is the higher. Plus compensation for damages suffered.
What is IPAF doing to become compliant before the deadline?
Working with Caldew Consulting among other outside experts to meet new regulations ahead of time. Preparing a GDPR Readiness Assessment and Report. Undertaking comprehensive Data Mapping and Data Privacy Impact Assessment and drawing up a new Privacy Compliance Framework.
Should my company be addressing GDPR yet?
Risking a wait and see approach is not recommended, the penalties for non-compliance will be very high, both in terms of fines and reputational damage. IPAF highly recommends all member companies to take steps to become compliant before the deadline and if needs be consult a data protection specialist to check you are ready for the changes ahead.