GDPR stands for General Data Protection Regulation and comes in to effect on the 25th May 2018 and will completely change the way in which Companies handle personal data. These changes are significant and Companies need to start taking action now in order to be prepared for the deadline. To get you going, we have compiled a list of the top 10 questions that our Customers ask us when it comes to addressing GDRP within their business.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain appropriate security of personal data. Failure to comply with the GDPR could result in significant penalties.
Who needs to know about the GDPR?
The GDPR applies to companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU or that collect and analyse data tied to EU residents. The GDPR applies no matter where personal data is processed.
When will the GDPR come into effect?
The European Parliament approved and adopted the GDPR in April 2016 and enforcement will begin May 25, 2018.
How will the GDPR affect my company?
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles, click here to learn more about these.
How much can companies be fined for noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements. Additional individual remedies could increase your risk if you fail to adhere to GDPR requirements.
What specifically is deemed personal data?
Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Want to see some examples? Then Click here.
How does the GDPR apply to children?
The GDPR includes specific protections for children. It generally provides that the consent of children must be “explicit.” GDPR set the age of consent, in the online context, at 16. But Member states may individually set the age of consent anywhere between 13 and 16 years old.
Do we need to ask for consent to collect, store and process personal data from my employees and my customers?
In short yes, there must be a legal basis for doing so.
My company has offices and personnel outside Europe. Do I only need to cover personnel in Europe?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organizations of all sizes and all industries.
Does my business need to appoint a Data Protection Officer (DPO)?
It depends on several factors identified within the regulation. Article 37 of the GDPR states that controllers and processors shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.