Now that the GDPR is in force, it’s essential businesses ensure they’re following the new regulations. Non-compliance has the potential to cause significant financial damage and the enforcement agencies operating in the EU nations will be taking their new responsibilities seriously. Here, I highlight a few GDPR basics, examine what’s changing and what non-compliance could mean for your business.
The General Data Protection Regulation (GDPR) came into effect on the 25 May 2018. It applies to all member states of the EU and introduces a number of new processes, procedures, rights, and responsibilities concerning the way organisations handle personal data. The regulations aim to standardise data management practices across Europe and ensure that organisations are collecting, storing, transferring, and deleting data in a secure and ethical manner.
The GDPR is mainly focused on the management of both ‘personal data’ and ‘sensitive personal data.’ Personal data means any information that could identify an individual, such as names, addresses, phone numbers, and IP addresses, among other things. Sensitive personal data is information that is not readily available, like religious or political beliefs, sexuality, and genetic information.
To address the major implications of GDPR, there are a number of important factors businesses must consider, including:
One of the most highlighted aspects of the GDPR is the introduction of powers to issue huge fines for non-compliance. Organisations that are found to be in breach of the regulations could face a financial penalty of up to €20million or 4% of their global annual turnover, whichever is greater.
While only the worst offenders will be hit with the maximum fine, the ability to tailor the punishment to reflect the severity of the crime and the financial resources of the non-compliant company, makes the GDPR a powerful regulatory tool. However, initially I think enforcement agencies are likely to aim to encourage and reward genuine attempts to implement compliance with the regulations – even if there are some early issues – rather than immediately punish with severe fines, although I expect they will make an example of companies where appropriate.
It is clear that implementation of the GDPR will continue to result in widespread changes in most UK businesses, although it’s not as radical a departure from existing data protection regulations as has been represented. With the threat of large fines and damage to reputation, businesses need to ensure that they’re complying with the new measures.
Finally, these comments highlight some of the most important changes included in the GDPR, but please be aware that the legislation covers over 90 individual articles and consequently, businesses should seek legal guidance if they require assistance with their data handling and management practices.