by John Sheridan, Business Development Manager, MJ Flood Technology.
General Data Protection Regulation: The Facts
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on the 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The main aim is to improve and unify the way personal data is protected.
What is the definition of personal data?
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who does GDPR Apply to?
GDPR applies to every organisation that processes stores or transmits the personal data of EU Residents. These organisations can be classified as data processors and data controllers. Both have obligations under GDPR.
Is GDPR only applicable to EU Based companies?
GDPR applies to the processing of the personal data of EU Citizens, so not only does it apply to EU Organisations, it applies to organisations based outside of the EU that offer goods or services into the EU.
What business areas are affected by GDPR?
Every organisation that has personal data falls under the scope of GDPR, Sales & Marketing, HR, Finance, Legal & Customer services.
What are the penalties?
There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation
Does my business need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.
What are my rights under GDPR?
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object – and to request these from the data controller.