The GDPR Effect
The New European Union (EU) General Data Protection Regulation (GDPR) is due to come into effect on Friday 25th May 2018.
It is being introduced to standardise data privacy laws across Europe, to protect and empower all EU citizens regarding the privacy of their personal data and to reshape the way organisations approach data privacy. The impact of GDPR on organisations is that most, if not all organisations (operating any part of their business within Europe) will be required to change their current practices relating to personal data management, analytics and reporting.
As part of GPDR compliance, the following will apply:
- Companies will need a legal basis to justify the collection and processing of personal data.
- Consent to use personal data must be “freely given, specific, informed, and unambiguous”.
- Non-compliance of the GDPR directives may result in a fine of up to 4% of total global annual turnover or €20 million.
How will GDPR affect me or my organisation?
The GDPR is all about protecting and enabling the privacy rights of individuals. It will enforce strict global privacy requirements governing how companies manage and protect personal data while also respecting the choice of individuals. This includes responding to individual requests to update or erase data, and providing evidence of how this is done.
Personal data is broadly defined as any data that relates to an identified or identifiable natural person. In addition to obvious personal identification data such as a person’s name or tax number, race / ethnic origin, political opinion, religious belief, group membership, biometric, health, genetic data, and sexual orientation data is also included. Personal data may reside in a CRM, line of business applications, web sites, surveys, job applications, marketing systems, email, mobile apps, databases, photos, video footage, and any number of other digital locations. As part of GDPR, individuals have a right to know if an organisation is processing their personal data and for what purpose. They also have the right to have personal data deleted, corrected or moved. At any time, they can also revoke consent for certain uses of their data.
Understanding the guidelines of GDPR is crucial for any organisation operating within the EU region. Even if your organisation is not based in the EU, but works with EU organisations or handles data from EU residents, GDPR applies to you. The principles of the EU GDPR are also likely to be adopted in other parts of the world.
Preparing is Key
In today’s digital era, personal data lives everywhere: on-premises, in the cloud, on devices and even in “things”.
To comply with GDPR, organisations will need to put processes in place to record data collection consent as well as to discover, audit, organize, govern, secure and delete data. For many business applications and analytics processes, deleting data is an unusual event that may never have been considered in the past. Getting GDPR-ready requires a holistic approach with cross-functional expertise, changes to enterprise-wide processes, and probably the acquisition of some new tools. To start preparing for GDPR, we recommend that all organisations read and understand the GDPR regulation (or at least an accredited summary version).
This is where Glantus can help – our Personal Information Tracker can help you shape and accelerate your GDPR compliance so you can rest easy come May 25th.