General Data Protection Regulation FAQs - What is the GDPR?
The General Data Protection Regulation, commonly referred to as the GDPR, is a set of data protection principles and rules that aim to protect data of European citizens.
It aims to regulate the way that data information is stored, used, accessed and secured to ensure data privacy is taken seriously and responsibly.
The GDPR harmonises existing data breach notification laws in Europe and aims to ensure organisations constantly monitor for breaches of personal data.
When it come into force in 2018, the GDPR will affect organisations processing personal data of EU individuals in relation to offering goods or services; or to monitor their behaviour.
Who does the GDPR apply to?
The General Data Protection Regulation (GDPR) is a piece of legislation that was created in the EU, but it doesn’t just apply to organisations that are physically based in the EU. The GDPR will affect every business which trades or operates within the EU, small or large, and will impact on almost every department or element of your business operation including: HR, marketing & promotion, accounting and day-to-day communication.
When does the GDPR come into force?
The GDPR comes into effect on 25th May 2018.
What is the GDPR for?
The purpose of the GDPR is to protect the personal data of EU citizens. The GDPR applies to all organisations that hold data about EU citizens, so even if your business is in Australia, if your hold data about someone based in the UK or another EU country, the rules must be adhered to.
What are the rules for processing data under the GDPR?
There are six basic principles of processing personal data:
- Data must be processed lawfully. It must not be used for illegal reasons
- Data must be collected on the grounds of legitimate purposes only, so you must state the purpose of collecting the data in the first place. e.g. Ask for consent to process someone’s data, make it clear what you are going to do with the data and how it will be used, how long you will hold the data for, and people must be given the opportunity to withdraw consent
- It must be necessary to ask for the data
- Data you store must be accurate
- Data must only be retained as long as necessary – only keep a record of data long enough for the task you are performing or that the data is relevant for.
- Data must be secure
Why is the GDPR so important? What happens if you are found to not comply with the GDPR?
Non-compliance with GDPR as of 25th May 2018 will potentially result in either a fine of up to €20 million, or up to 4% of gross worldwide revenue for the previous year– whichever is the higher amount.
The level of fine will depend on the type of breach and mitigating factors. However, it is really important that employers start preparing for the changes as soon as possible to avoid penalties.
What are the key changes under the GDPR?
- Privacy by design
- Data retention
- Right to be forgotten
- Mandatory breach notification
- Penalties for non-compliance
What you need to know about the data you hold
What data you store, why you have the data, where the data is, who has access, and that it is kept securely.