Ready for GDPR? New rules on data protection
Firstly, you may ask what is GDPR? It may sound like an abbreviation for a new train company but actually it’s the newly adopted European Union General Data Protection Regulations.
Don’t panic! It’s not in force yet but it will be introduced over the next two years (and comes into effect from May 2018) and many organisations are going to have to go on a journey of their own to ensure compliance with the GDPR.
It’s worth sitting up and taking notice of the GDPR because under the new regulations, the regulators can fine organisations up to €20 million or 4% of the offending company’s global gross revenue.
So what is the GDPR? The GDPR is intended to be a single set of data protection rules across Europe. Organisations outside of the EU are still subject to the regulations if they hold data concerning EU citizens.
The GDPR defines personal data as any information relating to a person who can be identified, directly or indirectly, by an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So under the GDPR in many cases online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be without undue effort linked back to the data subject.
Equally important, there is no distinction between personal data about individuals in their private, public or work roles – the person is the person.
Due to these changes, the GDPR is going to be, if not already a boardroom discussion with an increased responsibility sitting with the data protection officer (DPO).
The regulation gives advice to DPOs, which is hardly revolutionary: “Engage only providers that provide sufficient guarantees to implement appropriate technical and organisational measures to meet the regulations’ requirements and protect data subjects’ rights.”
If you speak to most DPOs, this is what they always do, the GDPR just takes the penalties for failing to choose an appropriate provider to another level and makes the failure a board-level issue.
Official information on the GDPR can be found at http://ec.europa.eu/justice/data-protection/index_en.htm.
My next blog on this subject will give some ideas of what you should be checking with your providers. In the meantime, we’ve prepared an example GDPR vendor statement. We’d be interested to get your feedback.