What is GDPR?
Let’s start with those 4 letters that are everywhere at the moment:
General Data Protection Regulation or GDPR as its commonly known as.
So, what is GDPR and why is it so important?
GDPR is an EU regulation (Brexit changes nothing by the way) that has been created because of the increase in the amount of data being created. Furthermore, the ways in which it can be used are not covered in the currently dated acts and regulations.
The UK has the Data Protection Act 1998 currently which was enacted following an EU directive and that will be superseded by this new regulation.
What are The Main Differences?
- If your business is not in the EU, you will still have to comply with the Regulation – it’s worldwide if you deal with any EU Citizens!
- The definition of Personal Data is broader, bringing more data into scope.
- Parental consent is required to process the data of children.
- There are changes to the rules on obtaining valid consent for the use of data.
- The appointment of a Data Protection Officer will be mandatory for some businesses.
- Introduction of mandatory privacy risk impact assessments.
- There are new Data Breech reporting requirements
- Users have new rights (and lots of them).
When does it apply from?
The regulation became law on the 25th May 2018, but it has been finalised since 26th May 2016.
Who does GDPR Apply to?
The regulation divides you into data controllers and data processors. A data controller decides how and why personal data is processed, while a processor can be a party doing the actual processing of the data. So, the controller could be any organisation. A processor could be a third-party company doing the actual data processing. It is your responsibility as the controller to ensure the processor is acting within the regulation.
Even if you are based outside the EU, GDPR will still apply to you if you are handling the data of any EU citizen.
That’s a very brief intro to GDPR and as such there are still many areas that need to be covered, but hopefully that’s given you an idea as to what GDPR is all about and to help you move forward with.
As with most regulations, it’s all about guidance and not much specifics. Our advice for now is to show willing and the ICO won’t be coming down on you with the harshest penalties. Have you taken the ICO’s 12 Steps to GDPR? Have you taken technical measures such as getting Cyber Essentials certified etc?
For more information on what Cyber Essentials is and the benefits of becoming certified (we can certify you), please see our article HERE.