Your shopping cart is currently empty.
EU GDPR (General Data Protection Regulation) Overview
What is the GDPR?
The GDPR, enforced on 25 May 2018, harmonises data protection across the EU. It supersedes all domestic laws based on the DPD (Data Protection Directive 1995), including the UK’s DPA (Data Protection Act 1998). The UK has since enforced the DPA 2018, taking the GDPR into account – cementing its requirements in British law regardless of Brexit. Note that any organisation processing EU residents’ personal data has to comply with the Regulation – whether based in the EU or not.
Key changes introduced by the GDPR
The Regulation extends the rights of data subjects, aiming to protect EU residents’ personal data and mitigate breaches. It also places several new obligations on organisations; among other things, they must develop or update certain policies and procedures, including privacy policies. Organisations must also take “appropriate technical and organisational measures” (Article 32) to comply.
The Regulation introduces a number of key changes:
- Organisations based anywhere in the world need to comply if they offer services – free or otherwise – within the EU.
- The definition of ‘personal data’ now includes other factors that can be used to identify an individual, e.g. their genetic or economic identity.
- Parental consent is required for processing children’s data (in the UK, under the age of 13).
- Rules for obtaining consent have been changed. Silence or inactivity does not constitute consent. Consent should be a clear, affirmative action.
- Controllers can only collect data for “specified, explicit and legitimate purposes” (Article 5). They should not collect or process data that is not necessary to achieve those purposes, or keep the data for longer than required for achieving those purposes.
- Appointing a DPO (data protection officer) is mandatory for all public authorities and organisations processing large amounts of sensitive data or that regularly perform large-scale monitoring of data subjects.
- DPIAs (data protection impact assessments) are mandatory before undertaking high-risk data processing activities.
- Data controllers must report data breaches to their data protection authority (in the UK, the ICO (Information Commissioner’s Office)) within 72 hours of becoming aware of them. Where there is a high risk to their rights and freedoms, affected data subjects must also be notified.
- Individuals have the ‘right to be forgotten’.
- There are new restrictions on international data transfers; non-EEA organisations may need to appoint a representative in the EEA, or meet any of the provisions outlined in Chapter V.
- Processes must be built on the principle of privacy by design and data protection by default. This means that data protection is taken into account from the beginning.
- Organisations are required to carry out risk assessments and put in place administrative and technical data protection controls that are proportionate to the risk to data subjects.
View the published text of the Regulation in the Official Journal of the European Union >>
Fines for non-compliance with the GDPR
Organisations that breach the GDPR may receive fines of up to 4% of annual global turnover or €20 million (around £17.5 million) – whichever is greater. This should provide incentive for all organisations to achieve better levels of information security.
How Vigilant Software can help your organisation to comply with the GDPR
Vigilant Software provides organisations of all types and sizes, and in all locations, with compliance software to streamline their GDPR projects.
To comply with the GDPR, organisations must understand what personal data they process. To do so, it’s necessary to create a data flow map.
The Data Flow Mapping Tool, simplifies the process of creating data flow maps, making them easy to review, revise and update as your organisation evolves.
This tool helps accelerate your understanding of how personal data is collected and processed and helps you systematically identify all the stages in a personal data flow that have data protection implications. This enables you to more quickly determine the appropriate administrative and technical controls necessary to comply with the GDPR.