The 2nd instalment of TRU’s exclusive GDPR blogs.
The General Data Protection Regulation (GDPR) passed by the EU in May 2016 takes individual member states’ Data Protection laws and combines them into a new regulation that has scope throughout the EU. When the GDPR was passed a two-year period prior to succession into member state law was granted to allow individual member states the opportunity to prepare for the most comprehensive change to data protection legislation for 20 years.
A Regulation, unlike a Directive, passes into member states’ statute law without the right to derogation or delay. GDPR will become law in every EU member state on 25th May 2018.
Fundamentally, this means that in the UK the current Data Protection Act (DPA) will be replaced by the GDPR. The DPA is a great starting point as any organisation that is fully compliant with the DPA will find that much of their current approach will remain under the GDPR. However, the requirements of the GDPR are more wide-reaching than those of the DPA. The GDPR takes an already comprehensive Act and enhances it, and adds new areas for consideration.
An organisation that meets the criteria to register with the Information Commissioner’s Office (ICO) under the existing DPA will continue to meet the requirements for registration under the GDPR.
In the light of the above, now is the time to start raising awareness of the requirements of the GDPR amongst key personnel within your organisation. Are the board of directors discussing the requirements of the GDPR? Are the directors, senior managers, key IT and HR departments confident that the organisation is GDPR ready? An organisation should ask “are we confident that we know exactly what data we hold?” Aligned to this the next question should be “are we clear on where that data is held?”
Should the answer to the above questions be “no”, the logical starting point would to be analyse the current risk register, if one exists. Without a risk register it will be almost impossible to address all of the criteria needed to ensure full GDPR compliance. To be fully compliant by the absolute deadline of 25th May 2018, consideration should be given to resource allocation – both financial and in terms of personnel. Although not onerous in complexity the work required is exceptionally time consuming and even a small delay in preparation could lead to the organisation not being compliant in time.
The impact of non-compliance should not be underestimated. Maximum fines for data breaches under the GDPR are £20m or 4% of gross global turnover, whichever is the greater. In many cases this would spell extinction for the organisation.
In the next blog in this series we will look at the next step in the journey to GDPR compliance – assessing what data is held.