Questions? We Take the What, When and How Out of GDPR
With the General Data Protection Regulation (GDPR) set to take effect in a year and a day, Redstor cut back the jargon and give you the answers you need.
GDPR, replaces the previous Data Protection Directive (DPD), adopted in 1995, and will in the UK, replace and strengthen the Data Protection Act (DPA). One of the initial differences between GDPR and DPD, is that GDPR is a regulation not a directive; as a regulation, no additional enabling legislation will have to be passed by governments of member states.
Key points under GDPR include:
- More focus on the protection of personal data
- Higher fines for non-compliance (€20 million or 4% of global revenue)
- Breach notifications must be reported in 72 hours.
- Organizations will be effected globally
GDPR has been making headlines for some time and it is more than likely you’ve heard or read about it. The General Data Protection Regulation, was first proposed by the European Commission in 2012 and following lengthy consultancy stages and talks became law in May 2016. At this stage member states were given a 2-year period in which to become compliant with the regulation.
- The 2-year period ends on May 25th 2018, when GDPR becomes active.
Each member state is responsible for complying with the Regulation as this will become European Law, they then have the powers to create additional legislation in certain categories and around ‘special data’.
Each member state or union will have to regulate the new laws and the relevant supervisory authority will be responsible for investigating data breaches and assigning penalties as necessary
- In the UK this is the Information Commissioners Office (ICO)
- In Germany this is The Federal Commissioner for Data Protection and Freedom of Information
As the regulation effects all organizations who hold or process data on any European citizen or organization, it has been called the Global Data Protection Regulation by some.
To ensure your organization is prepared for GDPR it is important to gain an understanding of the legislation that will affect you, your responsibilities and importantly of your data.
Organizations are likely to have to implement, or at least update, data protection policies that are in place. It is important to take ‘technical and organizational measures’ to ensure data is protected and the risk of data breach is minimized.
To find out more information around the GDPR and how you can ensure compliance, download the Redstor whitepaper for a complete guide.
Key definitions are set out in Article 4 for the purposes of this regulation.
- DATA SUBJECT – An individual who is the subject of personal data.
- DATA PROCESSOR – Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- DATA CONTROLLER – A person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed.
- PERSONAL DATA – Any information related to a data subject that can be used directly or indirectly to identify that person*.
- DATA BREACH – A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
*Under GDPR this now covers information including an IP address.