What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the European Union's data protection regulation coming into force in 2018
Who does it affect?
Organisations holding or processing data pertaining to EU citizens
What of existing regulations?
GDPR replaces the European Data Protection Directive (DPD) that came into force in December 1995
Non compliance
In serious cases, fines up to 20 million Euros, or 4% global turnover, whichever is the greater
How has it Changed?
New Authority
New regulatory powers for the Information Commissioners Office (ICO), including audit, orders to cease business, suspension of data processing or operations to third
Conducting Privacy
Requirement to conduct Privacy Impact Assessments (PIA) against any processing involving sensitive personal data
Documented Policies
The business must be able to demonstrate documented policies and procedures in line with GDPR
Breaching Regulation
Failure to comply may result in penalties, specifically strict fines may be imposed, for serious breaches
Data Protection Officer
Companies processing sensitive data must appoint a Data Protection Officer (DPO)
Accountability
Businesses must show greater accountability for the validation, protection and destruction of personal data
Data Ownership
The client retains ownership of the data they have supplied and may be entitled to request the raw telematics data for portability
Different Data Types
Personal Data
Data relating to an individual e.g. Home address, phone number or type of car they drive
Sensitive Data
Special classes of personal data e.g. biometric and genetic
Consent
There must be explicit or unambiguous consent from the individual to hold and use their data
Defined Data Responsibility
Data Subject
The individual who is the subject of the personal data
Data Controller
The person who determines the manner in which the data will be processed
Data Processor
The person or organisation that processes the data
Data Protection Officer
The person responsible for ensuring compliance, risk reduction and control of the data on behalf of the business
Data Areas Included in the Regulation
Data Collected or Created
Data Erasure
Data Archiving
Data Processed
Data Used or Analysed
Data Reporting
How to Prepare?
Global Reach
Leaving the EU will still affect British business, GDPR has global reach
Personal Data
Make sure that all the personal data you hold is documented, its source and origination
Reviewing Data
Review data processes and procedure, particularly how consent is sought and recorded
Validation of Age
Verify age of individuals and gather parental or guardian approval, ensuring all records are updated
Data Protection Officer
Identify a Data Protection Officer
Deadline
2018 seems a long way, don’t be caught out, act now
Awareness
Ensure that decision makers in your organisation are aware of the changing law
Privacy Notices
Review current privacy notices and plan changes
Data processing
Verify data processing processes and document
Policies
Update policies
We Can Help you Become Compliant
Fifth Step
Assessment
Implementation
Compliance
Fifth Step can provide expertise to assess and action the
changes to attain compliance to GDPR
For more information, please contact Wayne Jolly - Head of Security