On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will supersede the UK Data Protection Act of 1998. This week, we discuss what you need to know about the GDPR regulation.
Considered the “biggest overhaul of privacy rules since the birth of the internet” by the New York Times, the GDPR is a historic regulation that is set to give members of the public more visibility when it comes to their personal data.
What is the GDPR?
In a nutshell, EU’s GDPR outlines the organisation’s efforts to update data protection for its member states. Is your business prepared for the new regulations? Here are the most commonly asked questions about the GDPR.
When is the GDPR coming into effect?
The EU Parliament approved the GDPR in April 2016. Since it is not a Directive, the GDPR automatically takes effect after the two-year transition period, without the need for any enabling legislation by the member governments. Therefore, the GDPR will be in force in May 2018.
What is the difference between a regulation and a directive?
As a binding legislation, a regulation must be applied in its entirety across the EU. Meanwhile, a directive indicates a goal that all EU countries must achieve. However, it is up to the individual countries to decide how to set out to achieve the goal.
Should data controllers in the UK still prepare for GDPR in light of ‘Brexit’?
If you offer services or sell goods to countries in the EU, you most likely should. Regardless of whether or not the UK retains the GDPR post-Brexit, you will have to comply with the new regulations as long as you process data from individuals from EU countries.
Who will be affected by the GDPR?
All organisations that cater to citizens of EU member states will be affected by the GDPR. As long as you offer goods or services to EU subjects and you collect personal data, the GDPR applies to you, regardless of where you are located.
What are the consequences of non-compliance?
Organisations found to be non-compliant with key GDPR provisions can be fined up to €20 million or 4% of their global annual turnover in the prior year, whichever is higher. Examples from the GDPR website include:
- Non-adherence to the core principles of processing personal data
- Infringement of the rights of data subjects
- Transfer of personal data to third countries or organisations that do not ensure adequate levels of data protection
What is the difference between ‘controllers’ and ‘processors’?
The Information Commissioner’s Office (ICO) defines these terms as follows: A controller determines the purposes and means of processing personal data, while a processor is responsible for processing personal data on behalf of the controller.How do you define personal data?Personal data is any information related to a natural person or ‘data subject’ that can be used as an identifier of that person. This includes a name, an image, an email address, bank details, a post on a social networking site, an IP address, or medical information. To learn more, refer to the ICO website.
How will the GDPR impact the policy regarding data breaches?
With the GDPR, all organisations are required to report breaches in security that pose a risk to individuals. This must be done within 72 hours of the data breach discovery. Your organisation must have robust processes to detect, investigate, and report data security breaches.
In an interview with UKA Live, Victoria Cetinkaya, senior policy officer at the Information Commissioner’s Office (ICO), described the implementation of GDPR as a cultural shift: once it takes effect, there will be a new principle of accountability in that organisations will have to demonstrate the capability to comply with GDPR. That is, organisations will have to implement data-protection impact assessments as well as processes that enable compliance.
This change will significantly transform the playing field in the coming years, particularly in terms of cybersecurity. Early this year, a survey conducted by CAN Hardy revealed that twenty-five percent of executives rate cyber risk as their highest concern. The survey comprised 450 executives from UK multinational firms and 50 executives from European multinationals. With the GDPR’s more stringent rules on data protection, such a risk may be mitigated.
Before this can be achieved, executives in businesses that handle EU-member data will have to work out what procedures and policies will be introduced to comply as quickly as possible. It’s important that your workforce is educated before May 25 rolls in, and that your third-party vendors who are considered as data processors also comply with GDPR.
Learn about Our Solutions
Looking for an accounting outsourcing company that fully understands the importance of your clients’ privacy? Learn more about our accounting outsourcing solutions that are compliant with GDPR regulations. Get your copy of our latest whitepaper D&V Philippines: Your Talent Sourcing Partner! Click the button to download your copy.