The EU General Data Protection Regulations (GDPR) come into effect 25 May 2018. The new rules raise the bar for collecting, storing and processing data on EU residents. Moreover, the penalties for non-compliance are severe.

What is the Scope of GDPR?

Before diving into the specifics of GDPR, we should first review the scope: whom GDPR protects and who is responsible for implementing GDPR.

Schedule a free consultation with one of our GDPR experts today. Just drop your contact information in the form below and we’ll be in touch.


Who is affected by GDPR?

GDPR covers every EU resident; extending protection to 508 million people in 28 EU countries. That’s 24% of the global economy.

However, the scope of GDPR is much more significant. GDPR responsibility extends to any organisation or person worldwide who collects, stores, manages or processes data on any EU resident.

What does that mean for you? If you are reading this and hold any information about an EU resident you are subject to all 56,321 words of GDPR. Requirements, remedies and penalties.

What Data does GDPR Cover?

GDPR covers pretty much any data (or data combined with other information) that can identify an EU resident.

Examples of Data Covered under GDPR:

  • Website cookies
  • Personal information
  • Names
  • Birth Dates
  • Addresses
  • Biometric Data
  • Health Data
  • Cultural Information
  • Demographic Data
  • Gender
  • Race
  • Nationality
  • Religion

The list above is representative and not exhaustive.

8 Rights of EU Residents under GDPR

GDPR conveys the following benefits to EU residents. While we include a summary of each, application of each right requires analysis of specific data.

1. Right to Be Informed

Individuals have the right to fully understand how personal data are collected, stored, managed, protected and processed.

2. Right to Access Personal Data

Individuals have the right to review their data—and any supplemental data—and understand how their data are stored and used.

3. Right to Reject Automated Decision Making

Individuals have the right to request manual processing for any decisions made with their data.

4. Right to Correct Personal Data

Individuals have the right to update, supplement or correct incomplete or inaccurate data.

5. Right to have Personal Data Deleted

When no compelling reason exists to retain such data, individuals may request the deletion of personal and supplemental data.

6. Right to Restrict Processing

Individuals may request that their data not be used for specific purposes.

7. Right to Stop Processing

Where data retention is required individuals may request that their data not be processed in any manner.

8. Right to Data Portability

Individuals may request transfer of their data to another organisation or person for storage or processing.

So what does all that mean?

You should create a comprehensive plan for the collection, storage, management and processing of personally identifiable data. From first contact (website visit, appointment scheduling, etc.) to the deletion of a person’s information, you are responsible for complying with GDPR – or face substantial penalties.

10 Operational Impacts of GDPR

GDPR provisions heightens your responsibilities related to the collection, storage, management and processing of personally identifiable data and expand the scope of what is considered personal data. From technical measures to organisational awareness to reporting timelines and responsiveness to individual’s requests, your business faces far greater responsibility and exposure.

1. Data security and breach notification responsibilities

You are required to notify the relevant data protection authority within 72 hours after discovery of a breach. If there is a high risk to individual’s rights, you must report the incident to the data subject in a ‘timely manner’.

2. Requirement for companies to have a Data Protection Officer

Certain private sector organisations must appoint a Data Protection Officer (DPO) irrespective of their size or how they are processing personal data.

3. Responsibility to obtain consent before collecting data

You must obtain informed consent ‘in clean and plain language’ before collecting data.

4. Responsibility to comply with right to object to profiling

You must comply promptly with an individual’s requests regarding their data. Including the objection to profiling.

5. Responsibility to comply with the right to be forgotten

You must comply ‘in a timely manner’ to an individual’s requests regarding their data. Including the right of data deletion (if permissible).

6. Responsibilities for controllers and processors

You are liable (and can be fined) for failures of their contracted data controllers and processors to protect data under GDPR.

7. Responsibilities under cross-border data transfer

Transfers are prohibited unless made to an Adequate Jurisdiction, or the data exporter has implemented a legal data transfer mechanism (or exemption).

8. Responsibility to pseudonymize personal data where possible

The use of pseudonymized data is strongly encouraged. Pseudonymization is neither anonymous or identifiable data but requires separately held information for identification of an individual.

9. Responsibility to support data portability

You must provide a machine-readable copy of an individual’s data in ‘a timely manner’. Moreover, you may even be required to transmit data directly to a competitor.

10. Codes of conduct & procedures

You must ensure sufficient policies and procedures are in place, as well as adequate contracts for third-party data handlers, to ensure compliance with GDPR.

Consider something as seemingly innocuous as a web form to download an eBook.

You should ensure that any information collected is truly required and collect as little information as possible to complete the request. Additionally, consider informing the user how their data will be stored, managed and processed – and offer users the opportunity to limit any such processing.

(The form in this example was found on a live UK website in November 2017. The details have been changed to shield the source.)

The consequences of failing to comply with GDPR

GDPR expands an individuals rights regarding their data and codifies the right of data subjects to file class action lawsuits.

Additionally, GDPR can levy fines up to €20million or 4% of global turnover – whichever is greater – for each failure to comply with GPDR.

 

For example, in 2016, 35 data breaches in the UK resulted in combined fines of £3,200,000. Had those data breaches been subject to GDPR the penalties could have exceeded £624,000,000 (€700M).

 


We use Cognito Forms to facilitate automation on our website. By submitting this form, you acknowledge that your information will be transferred to Cognito Forms for processing. Learn more about Cognito Form’s privacy practices here. Read DLP’s Privacy Notice.

8 Steps for GDPR Compliance

Preparing for GDPR requires an investment of time and capital and on-going vigilance in data management. An outline of a method to achieve GDPR compliance is below.

1. Raise internal awareness

Begin discussing GDPR and make employees aware of potential changes to data processing.

2. Conduct data mapping

Assess current data collection, retention, storage and processing procedures and policies.

3. Prioritize shortfalls

Evaluate compliance shortfalls and create a prioritised list of items to correct.

4. Conduct gap analysis

Evaluate current data processes against GDPR and document shortcomings and necessary policy changes.

5. Create a remediation plan

Update existing and implement new policies and procedures to bring data handling into compliance.

6. Conduct remedial actions

Implement necessary procedural and technological changes including deleting unneeded data.

7. Conduct training

Conduct training with anyone who comes in contact with data, or manages contractors who manage or process personal data.

8. Continuously monitor

Continuously monitor data collection, storage and processing to ensure continued compliance.

Summary

Compliance with GDPR can seem very daunting. However, with expert insight, a thoughtful and thorough review, and a careful plan, your business can meet the requirements of the General Data Protection Regulations Act.

DLP recognises the substantial impact GDPR will have on businesses in the UK. Our team is trained and ready to help you meet the demands of the GDPR.

Should you have any questions feel free to reach out to our help line. DLP advisors are available to answer any questions you may have at 0330 400 4495.

References: EU Data Protection page
Download a copy of the General Data Protection Regulations

Request a complimentary GDPR consultation


Only Name and Email address are required. Additional information will help us assign the appropriate DLP Advisor for your consultation. Your information will be sent to our DLP Advisors and used only to contact you regarding your request. Your data will be stored in our secure CRM system and not shared with any third parties.