The EU General Data Protection Regulation (GDPR) will come into force as of May 25th 2018. It replaces the current Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Penalties for non-compliance can be severe, up to 4% of global turnover for the more reckless or negligent of acts.
All organisations should have finished an initial assessment phase by now, designed to help you understand where the compliance gaps are. And a potential banana-skin is your supply chain, and ensuring that your suppliers are also heading towards compliance.
Arguably it is a victory for red tape bureaucracy, and regulation and legislation over common sense. Nonetheless it will affect everyone processing the personal information of any EU citizen, irrespective of where that processing may occur.
Article 4 of the regulation defines 'personal data' as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The regulation is based on six core principles as follows, and we will look at these in more detail on our GDPR dedicated website, currently under development.
1. Personal information shall be processed lawfully, fairly and in a transparent manner
2. Personal information shall be collected for specified, explicit and legitimate purposes
3. Personal information shall be adequate, relevant and limited to what is necessary
4. Personal information shall be accurate and, where necessary, kept up to date
5. Personal information shall be retained only for as long as necessary
6. Personal information shall be processed in an appropriate manner to maintain security
If you do not know your PIAs from your DPIAs, your PIMS from your ISMS, your DPO from your DPA, your BCRs from your SARs, your EDPB from your PECR, then you really need to ask someone that does. With Certified GDPR Practitioners in house Octree is ideally placed to assist you with any DP compliance project.
But hurry - the clock is ticking. Call now or email email@example.com