By Rachelle Peard. Published on 16 August 2016
The world is awash with data; we hear about it all the time. Big data, data breaches, data science. Every second data is being created and stored by organisations. Some of this data is highly sensitive and personal and the EU have a new regulation that comes into force to help protect it. Eton Bridge Partners meet Jim Ashton, an Interim Data Management, Transformation and Change specialist to discuss GDPR in more detail.
EBP: Jim, what is GDPR?
JA: Firstly, it stands for the General Data Protection Regulation. It is being brought in to modernise the protection of an individual’s data, particularly around the processing and free movement of this data. The regulation will give individuals more control of their personal data.
Who will GDPR impact?
The regulation will protect EU citizens and affect companies with over 250 employees that hold the relevant data.
Will companies in the UK still have to conform, even after Brexit?
It does not matter where the company resides, if they hold the personal data of an EU citizen, they must comply with the GDPR regulation.
What are the consequences if a company does not conform?
For persistent non-compliance there is a fine of up to 20 million Euros, or up to 4% of the annual worldwide turnover of the preceding year, whichever is greater.
When do businesses have to start to adhere to the GDPR regulation?
GDPR comes into force in May 2018. Companies are advised to implement the correct procedures to conform to the regulation before this time.
What can affected businesses do now to ensure they are ready for GDPR?
If they haven’t already got one, they need to hire a Data Protection Officer (DPO). The organisation will need to identify where, when, how, why and by whom personal data is used and transferred. It is important to create a personal data inventory as businesses with large databases and datacentres might not even know they are storing the sensitive data. This is particularly true where companies have grown from mergers or acquisitions. I’d recommend having an initial audit and assessment carried out to find this information, followed by a further change readiness assessment to ensure there are no surprises in May 2018.
In review, this regulation is coming and will affect all companies that deal with EU citizens personal data. In other words, if you sell goods or services to any one person that lives in the EU, you have to comply. In fact, if you hold that personal data, even if it was passed on by a third party, you must adhere to the GDPR regulation.
This is only the tip of the iceberg in terms of insight into GDPR, not least because of how much change will be involved. It would have been impossible to fit all of what Jim had to say on the subject in this blog.
Recruiting the right people to help your company implement the fundamental groundwork to enable your business to satisfy this new regulation will be of utmost importance.
What is clear is that if you didn’t know about GDPR, or if you did but were unsure what impact Brexit might have on it, or in fact if you just don’t get it, you need to take action to protect your organisation.