The European Union’s General Data Protection Regulation (GDPR) is a new regulation designed to protect an individual’s personal data. In addition to giving citizens control of their personal data, the GDPR also aims to unify data protection laws across the European Union (EU).
The GDPR entered into force on 24 May 2016. Enforcement will begin on 25 May 2018. The regulation applies to any organisation processing the data of an EU citizen, even if the organisation is based outside the EU. Organisations worldwide therefore have an increasingly short window in which to ensure that their data processing activities comply with the requirements of the GDPR. Brexit will not affect the responsibilities of organisations based in the UK, since it is likely that all EU laws will be transferred onto the UK’s statute books once the Brexit process is complete.
The reform will be the toughest data protection law in the world. Non-compliant organisations face fines of up to 4% of annual revenue or €20 million, whichever is greater. These penalties can seriously harm organisations of any size, highlighting the importance of undertaking the reforms required to be compliant with the regulation.
Companies or organisational departments specialising in data management need to pay particular attention to the requirements of the GDPR. There are likely to be multiple internal and external stakeholders involved in data collection, management and transmission. In particular, each stakeholders’s role – and hence their responsibilities – must be defined. For instance, in our data integration work, we are classified as a “Data Processor”. The head office client on whose behalf we collect data (e.g. a car manufacturer) is a “Data Controller”, and the third parties whose data we collect (e.g. a car dealership) is a “Data Provider”. Each needs to comply – and demonstrate that compliance – with the principles of the GDPR regulation.
To comply with the GDPR principles, organisations will need to ensure that all personal data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes
- Accurate and kept up-to-date
- Kept for no longer than necessary
- Processed in a manner that ensures appropriate security.
We have devised a step-by-step checklist that’s relevant to both Data Processors and Data Controllers. Our consultants use it to ensure that each one of our data management projects complies with our responsibilities as a Data Processor. The checklist can be downloaded for free using the link below, but please be aware that the information is provided for your help and guidance. It does not constitute legal advice and users should consult with their own lawyer for legal advice.
Download the checklist here