The Why
The General Data Protection Regulation (GDPR) is a legal act of the European Parliament and the Council that was adopted in April 2016 and comes into force on May 25, 2018.
The GDPR primarily seeks to provide unified and clear rules on stronger data protection that are fit for the digital age, give individuals more control of their personal information processed by companies and ease law enforcement. GDPR orchestrates the harmonisation of data protection law across the EU.
The new regulation will also affect non-European companies that offer goods or services to, and or monitor the behaviour of, European Union residents, and therefore process any of their personal data.
The GDPR introduces many key changes which organisations need to consider:
- Non-EU businesses will still have to comply with the Regulation
- The definition of personal data is broader, bringing more data into the regulated perimeter
- Consent will be necessary for processing data
- The rules for obtaining valid consent have been changed
- The appointment of a Data Protection Officer (DPO) will be mandatory for certain companies & activities
- Mandatory Data Protection Impact Assessments (DPIA) have been introduced
- There are new requirements for data breach notifications – within 72 hours
- Data subjects have the right to be forgotten
- There are new restrictions on international data transfers
- Data processors share responsibility for protecting personal data
- There are new requirements for data portability
- Processes must be built on the principle of privacy by design
Fines for non-compliance with the GDPR depend on the infraction. In the case of a personal data breach (defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed), the fine is up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher. For other infringements of GDPR provisions, the fine is up to 2% of annual worldwide turnover or €10 million, whichever is higher.
The Brexit Question
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the European Union, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.
Get support adapting your exisiting data protection programme to achieve GDPR Compliance
The team at NexusProtect has years of experience in the application of data protection systems & processes whether that be technical or organisational. NexusProtect is currently working with several legal organisations so we can deliver both the legal and practical application of the new GDPR regulation.
This includes:
- Data Protection – Legal & Governance Frameworks
- Data Flow Mapping, Gap Analysis and Impact Assessments
- Policies and procedures
- Information security
- Incident management
- Compliance Frameworks & Documentation (ISMS & PIMS)
- Project Management
- Data Protection Officer role
Data Flow Mapping:
- Work with you to inventory the personal data held and shared by your organisation, and develop data flow mapping of your processes.
GDPR Gap Analysis:
- Provide a detailed assessment showing your organisation’s current GDPR compliance position, and a remediation plan to address the gaps and risks.
Data Protection Impact Assessments (DPIA):
- Provide an assessment of the data protection risks associated with your new processes and a remediation plan to mitigate those risks.
GDPR Compliance Frameworks:
- Develop a privacy compliance framework to provide a structure for the management of personal data that your organisation can use to comply with the GDPR (General Data Protection Regulation).
BS 10012-compliant Personal Information Management System (PIMS)
ISO 27001-compliant Information Security Management System (ISMS)