In Spring 2018 the General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/ec as the primary law regulating how companies protect EU citizens' personal data. Companies that fail to achieve GDPR compliance before the deadline will be subject to strong penalties. Even with the UK’s decision to leave the EU, UK companies are still required to protect EU consumers data per the new directive.
If you are unsure how this will affect your company, and what you need to do to keep your organisation compliant… check out our quick guide below.
The GDPR mandates a baseline set of standards for companies that handle EU citizens’ data. It goes into effect May 25th, 2018. Highlights include:
- Requiring the consent for data processing
- Anonymising collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Which organisations does the GDPR apply to?
The purpose of the GDPR is to impose a uniform data security law on all EU members. Even when the UK is no longer an EU member, if your company markets goods or services to EU residents, it is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
What are the requirements?
The GDPR is a large document with 11 chapters and over 90 articles. Below we have listed those we think are most relevant.
- Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
- Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32 – Data breach notifications play a large role in the GDPR. Article 31 specifies requirements for single data breaches: controllers must notify Supervisory Authorities (SA) of a personal data breach within 72 hours of learning of it, and provide details. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when it places their rights and freedoms at high risk.
- Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc, must designate a data protection officer. Note that some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
What happens if your organisation doesn’t comply?
The Supervisory Authority (SA) holds investigative powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive. Fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
What to do next?
All organisations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018. By beginning to implement data protection policies and solutions now, companies will be in a much better position to achieve GDPR compliance when it takes effect. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements.
VTSL is the leading provider of pure cloud business VoIP telephone systems to medium-sized organisations in the UK and Ireland. As a unified communications company, VTSL can unite all your communications mediums for increased productivity and efficiency. As an established IP phone system provider, VTSL can provide you with flexible working communications – so that employees can work at home, on the road or abroad. For more information about VoIP business phone services, unified communications or flexible working applications, call 0207 078 3200 today or email email@example.com.