A brief Introduction to GDPR:
The introduction of GDPR Regulation in European Union heralds the most significant change to Data Protection Law in EU, and globally, in recent years.
Every organisation that collects, processes or shares Personal Data now must comply with this Regulation. This Regulation has been in force since 24th May 2016 and has been enforced from 25th May 2018.
This involves organisations understanding what Personal Data they currently hold or process, the risks associated to these data, adapting their business processes and infrastructure, implementing tools and compliance processes, and changing the way they collaborate with their suppliers.
Regulatory compliance might be seen as an administrative burden and extra cost. However, ignoring it or getting it wrong could have costly repercussions.
Organisations found to be in breach of this regulation face the following Administrative Fines:
- Administrative Fines
10 million or in case of an undertaking, 2% total worldwide annual turnover in the preceding Financial year (whichever is greater) if you contravene the following Articles:
8. child consent
11. processing not required identification
25. data protection by design and by default
26. joint controllers
27. representatives of controllers not established in EU
26-30. unlawful processing
31. co-operation with supervisory authority
32. data security
33. notification of breaches to supervisory authority
34. communication of breaches to data subjects
35. DPIA (Data Protection Impact Assessment)
36. Prior Consultation
41(4). Approved codes of contact monitoring
43. certification by approved certification bodies
- 20 million or in case of an undertaking 4% total worldwide annual turnover in the preceding Financial year (whichever is higher) if you contravene the following Articles:
5. principles relating to processing
6. lawfulness of processing
7. conditions of consent
9. processing sensitive personal data without explicit consent
12-22. ignoring data subjects rights information, access rectification, erasure, restriction of processing data portability, data subject objections
44-49. transfers to third countries
58(1). Restrict access to supervisory authority
58(2). Orders, limitations on processing or the supervisions of data flows
A GDPR Compliant Organization can avoid significant fines and reputational damage, but will also have a more robust and reliable data handing information security, compliance and contractual relationships.
GDPR brings two important changes to EU
- The 1st is the introduction of a level plane field where all member states have a uniform implementation to all member states by mean of the GDPR Regulation.
- All Companies, corporations, private proprietorships and partnerships, supplying goods and services within the EU as well as from the Global into EU, provides the same set of requirements as to whom they collect, process, store, protect and transfer of Personal Data of subject individuals.
- The 2nd important requirement is that the Rights of Data Subjects are protected within the EU, between member states, cross border to third countries and from third countries into EU.
- Organisations are required by law to respect, protect and secure personal data as from May 25, 2018.
Data Protection Officer (DPO)
- Large organisations processing substantial levels of information GDPR implementation is crucial.
- It is advisable to have someone that meets the requirements of DBO to act as consultant, having passed the examinations of Foundation & Practitioner exams approved and accredited by EU.