General Data Protection Regulation
The GDPR is a set of laws designed to protect the data of users and give them more control over their data.
With this new regulation —effective from May 25th, 2018— businesses, healthcare providers and professionals need to be aware of the GDPR's impact and consequences.
Our services related to the GDPR
- Audits & assessments
- Advice focussed on your business
- Independent DPO services
- Ready-to-use policies & procedures
- Tools & checklists
- Education & training
- Security awareness workshops
- Useful documentation
What is this GDPR exactly?
The GDPR is a set of laws affecting businesses around the world when they process personal data of EU citizens or when their business is located in the EU.
Unlike the EU Data Protection Directive where each member state of the EU had to implement their own measures, the GDPR is an exact regulation.
This new regulation will replace the EU Data Protection Directive (EU Directive 95/46/EC) on May 25th, 2018.
In a nutshell the GDPR is about:
- assessing impact and risk, securing data and handling data responsibly,
- informing data subjects and getting their consent to process their data,
- responding to requests to access, modify or remove data,
- documenting and improving workflows and putting policies in place,
- educating staff and management,
- notifying authorities and involved parties about data breaches,
- and appointing a Data Protection Officer if you handle personal data on a regular basis.
The GDPR also enables DPA's to impose severe administrative fines for non-compliance.
Depending on the infringement these fines could amount up to 10.000.00,00 EUR or 2% of the total worldwide annual turnover, whichever is higher, and in some cases even up to 20.000.00,00 EUR or 4% of the total worldwide turnover, whichever is higher.
How will this affect my organisation?
If you already handle personal data responsibly and according to current regulations, the GDPR should not have a huge impact on your organisation. However, there are some new rules and changes your organisation needs to be aware of:
- The definition of personal data is much broader.
- Users have some new rights: right to access, rectify, erasure, object, restriction of processing and data portability.
- Organisations are obligated to report data breaches to the individuals whose data was accessed and to the Data Protection Authority within 72 hours.
- There are financial repercussions for non-compliance.
- There's a joint responsibility and liability between data processors and data controllers.
- In many cases organisations are obligated to appoint a Data Protection Officer.
- The GDPR affects organisations outside the EU as well when they come in contact with personal data of EU citizens.
- Organisations need to implement some policies and have written procedures for key aspects of the GDPR.
- Organisations need to conduct security and privacy impact assessments of their assets.
The Data Protection Officer
In short, a Data Protection Officer or DPO is responsible for overseeing the implementation and compliance with the GDPR.
You are required to assign a DPO if you can answer “Yes” to one or more of the following questions:
- Are you a public authority or body?
- Do you collect or process personal or sensitive information regularly?
- Do you collect or process personal or sensitive information on a large scale?
If you answered “Yes” to one or more of the questions above, you're in need of a DPO.