The European Union’s General Data Protection Regulation (GDPR) is a regulation designed to protect an individual’s personal data. In addition to giving citizens control of their personal data, the GDPR also aims to unify data protection laws across the European Union (EU).
The GDPR entered into force on 24 May 2016. Enforcement began on 25 May 2018. The regulation applies to any organisation processing the data of an EU citizen, even if the organisation is based outside the EU. Organisations worldwide therefore have to ensure that their data processing activities comply with the requirements of the GDPR.
A note for UK-based individuals and organisations: Although the UK has left the EU, the UK Government has incorporated the provisions of the GDPR into domestic legislation as the UK GDPR. This means that the rules in this guide continue to apply equally in the UK.
When it was introduced, the reform was the toughest data protection law in the world. Non-compliant organisations face fines of up to 4% of annual revenue or €20 million, whichever is greater. These penalties can seriously harm organisations of any size, highlighting the importance of undertaking the reforms required to be compliant with the regulation.
Companies or organisational departments specialising in data management need to pay particular attention to the requirements of the GDPR. There are likely to be multiple internal and external stakeholders involved in data collection, management and transmission. In particular, each stakeholders’s role – and hence their responsibilities – must be defined. For instance, in our data integration work, we are classified as a “Data Processor”. The head office client on whose behalf we collect data (e.g. a car manufacturer) is a “Data Controller”, and the third parties whose data we collect (e.g. a car dealership) is a “Data Provider”. Each needs to comply – and demonstrate that compliance – with the principles of the GDPR regulation.
To comply with the GDPR principles, organisations will need to ensure that all personal data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes
- Accurate and kept up-to-date
- Kept for no longer than necessary
- Processed in a manner that ensures appropriate security.
We have devised a step-by-step checklist that’s relevant to both Data Processors and Data Controllers. Our consultants use it to ensure that each one of our data management projects complies with our responsibilities as a Data Processor. The checklist can be downloaded for free using the form below, but please be aware that the information is provided for your help and guidance and does not constitute legal advice. The information has been taken from various publications of the Information Commissioner’s Office; while every effort has been taken to ensure that the information is correct it should be noted that this document is intended as a guide only. For further information please go to www.ico.org.uk.
Download the checklist here
To download your free PDF copy of the 10-page checklist, please complete the form below. You will be added to our no-spam email newsletter list. Your contact details will never be shared with anyone else, except that your data will be processed by EmailOctopus in a third country, and you can unsubscribe at any time in one click. Click here to read our privacy policy.
