GDPR – An Overview
Unless you’ve been living under a rock for the past few months, you cannot have missed the hot-topic of the moment, GDPR. But what exactly is it, who will be affected and where do you start?
The General Data Protection Regulation (GDPR) comes into effect next May, 2018, and will impact every organisation that collects, stores and uses personal data from EU citizens.
It has been nearly 20 years since the UK’s data protection laws were last updated, (Data Protection Act 1998) and since then, the digital landscape has changed completely. The GDPR is being introduced to update these existing laws and will extend the rights of individuals around the use of their data, requiring organisations to develop clear policies and procedures to protect personal data,
Who will be affected by the GDPR?
Any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation.
Where do I start?
There is any amount of information about GDPR on the web and at Sotic we receive at least 3 or 4 emails a day from companies or individuals advertising their services in this area.
We would advise our clients to seek some advice as these regulations will apply right across your business, not just in relation to your website or your marketing department.
However, before you engage a consultant or a firm to advise you, it’s worth doing some research into GDPR yourself (though the regulation itself is made up of 11 articles and 91 chapters) and how your organisation may be affected so that you’re not coming in cold. There is still time to prepare, but the clock is ticking.
For many companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the requirements.
You should also consider carrying out a data audit within your organisation as before you can make changes you need to form a comprehensive picture of what your business looks like: what personal data it holds, why you hold it, how it is stored and what your legal basis is when processing that personal data.
There’s no ‘one size fits all’ approach. Rather, each business will need to examine what exactly they need to do to comply and whether you work for a small company or a large multinational, budget and personnel will all need to be considered.
There are many useful resources on the web relating to GDPR, but a useful starting point is the Information Commissioner’s Office which offers some general guidance
Penalties for Non Compliance
All organisations will need to ensure they are GDPR compliant come 25 May 2018 or risk falling foul of the new directives. If you fail to comply with the legislation then your company may be fined while citizens will have legal ground on which to bring about lawsuits and make compensations claims in the case of a data breach.