Home Archives Website Search Feed
February 5, 2018

What is the GDPR?

The GDPR is really a set of different rules. These include:

  1. Notification: There will be a 72 hour window where companies will need to notify regulators of breaches where a data breach is likely to result in a risk for the rights and freedoms of individuals”.

  2. Access: Individuals can ask for confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. They can also request a copy of the personal data in an electronic format at no cost.

  3. The right to be forgotten: Individuals can ask for any PII about them to be erased and for third parties that have access to that data to stop using it. In other words, consent to collect and use data can be revoked.

  4. Portability: If an individual receives their data from one entity, they can pass it to another.

  5. Privacy by design: There is now a legal obligation to build systems with privacy as a core design element.

  6. Data protection officers: Entities that collect, store and use PII will need to appoint Data Protection Officers - these can be internal or external personnel - who will manage the processes associated with compliance with the GDPR.

What is GDPR?

General Data Protection Regulation, or GDPR, is one of the most important pieces of legislation ever passed for IT departments.

Approved by the European Union in April 2016 and set to come into force in the UK on May 25th, 2018, GDPR is hugely significant for businesses of all sizes as it will greatly affect how they gather, store, and look after their data.

The key tenets of GDPR concern the privacy rights of everyday users and the data they create online, and look to bring together several existing laws and regulations to harmonise rulings across the European Union. 

Under GDPR, companies will also have to be more up front when collecting the personal data of customers - meaning consent will need to be explicitly given, as well as the gatherers needing to detail the exact purpose that this data will be used for.

This personal data will also need to be encrypted by default as part of a process known as pseudonymisation, meaning that it cannot be linked to a specific person without being accompanied by extra information.

Personal data applies to a wide range of information - effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.

Users will also have the right to know exactly what details a company or organisation holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new right to erasure”.

Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant within 72 hours of it happening - although there is no requirement to notify users unless instructed.

Any organisation found to not be conforming to the new regulation after the May 25th deadline could face heavy fines, equivalent to four per cent of annual global turnover, or €20 million - whichever is greater.

Who does the GDPR apply to?

It would be easy to put your head in the sand and think this is a uniquely EU set of rules. But, the GDPR applies to the data of all EU citizens, regardless of where it is stored.

In short, even if you’re an Australian business, if you have any business dealing with parties in the EU, you need to look into whether the GDPR impacts you.

The good news is, if you look at what’s required of you under the GDPR, that you’ll be giving your customers great protection for their PII.

Small businesses (defined as having fewer than 250 employees) may be exempt from elements of the GDPR. But it seems to me that complying with the rules makes good business sense.

The penalties for non compliance

This is where it gets ugly. If you breach the GDPR, the penalties can be substantial. Here are the penalties:

  • a warning in writing in cases of first and non-intentional non-compliance

  • regular periodic data protection audits

  • a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater

  • a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater

Tying penalties to annual worldwide revenue makes penalties meaningful, in my view. After all, even a €20,000,000 fine is relatively inconsequential for a business that has billions of dollars in quarterly revenue.

The nitty gritty of what penalties apply in particular circumstances are in Article 83 of the legislation.

Previous post
Five tech questions small business leaders should ask Although small business leaders depend on modern technology, few are familiar with the inner workings of their IT systems. That is typically left to
Next post
The importance of having processes in an organisation: building a foundation for success In today’s fast-paced business environment, organisations face numerous challenges, from operational inefficiencies to scalability issues. One of