Are you feeling a little lost about whether the General Data Protection Regulator (GDPR) applies to you? You aren’t alone. There are still many organisations that are only just beginning to realise just how significant the GDPR really is and its potential impact on the way their businesses will operate once the GDPR comes into effect on the 25th of May 2018.
Here are five (5) questions that we come across daily:
1.Do all businesses have to comply?
The GDPR applies to all organisations located within the European Union and will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. This includes private businesses, public limited companies, public authorities, charities, and unincorporated associations or clubs.
2. Isn’t this just an IT issue?
Absolutely not! It is a common misconception that the GDPR only captures data held in electronic format. The GDPR applies to all personal data regardless of the form in which it is stored. Therefore, it is essential that your organisation reviews, updates, and regularly audits its physical security measures just as often as its electronic security measures. An individual entering your premises and copying information onto a USB key or taking away physical documents containing personal data are equally serious data breaches. From network and information systems security to physical building access control and CCTV footage – the GDPR applies to every instance where personal data may be collected, processed, or stored by your organisation
3.Just how big are the fines?
The current maximum fine under the Data Protection Act 1998 is £500,000. This will be replaced with a remarkably steep fine of up to €20,000,0000 or four percent (4%) of annual global turnover, whichever is greater. In addition to the statutory penalties that may be levied by the ICO, the GDPR also allows data subjects to seek monetary damages in court from organisations that violate their rights.
4. Can’t I just imply consent?
Consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters. It must be in an intelligible and easily accessible form, freely given, specific, informed and demonstrate an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice.
5.What is personal data anyway?
Personal data is any information related to a natural living person or “data subject”, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, expressions of opinion, biometric information, or a computer IP address.
Time is running out, the GDPR will come into force on the 25th May 2018, don’t get caught out! Click here to read our 12 steps to GDPR compliance.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.