Unless you’ve been hiding under a rock or you’re one of today’s lucky 10000 to be hearing about it for the first time, the EU General Data Protection Regulation hype train is reaching full throttle and organisations across the world are engaging panic mode as the readiness deadline looms ever closer.
For those that are lucky enough not to have encountered GDPR yet, what is it all about and why should I care?
GDPR was adopted by the European Commission in 2016 with enforcement ‘going live’ on 25th May 2018, GDPR is now recognised as law across the EU. With over 3000 amendments since the first draft it is officially the ‘most heavily lobbied piece of legislation ever’, and the completed regulation is over 200 pages long.
GDPR largely extends the UK Data Protection Act 1998 and clears up some definitions that were ambiguous or out-of-date for the modern world. Indeed, in 1998 only 30% of us had access to the internet, compared to 98% of some generations carrying an internet-ready computer in our pockets in 2016.
GDPR is a regulation which means that it overrides any local law in any EU member state. This is different to a directive which would still have to go through local governmental processes e.g. parliament before becoming law.
No ifs, no buts, if anything of the following applies to your business, you have to comply:
• Organisations within the EU
• Organisations that offer goods and services to EU residents (including free services such as Facebook)
• Organisations that monitor the behaviour of EU residents (e.g. targeted advertising companies)
In short – every organisation in the EU that processes or uses data in any shape or form, or outside of the EU that offers online services to EU citizens.
GDPR has an exhaustive list of requirements for organisations to comply with that can be summarised around the following areas:
1. What data is considered ‘personal’
2. How personal data should be processed and controlled, and for how long
3. What data security controls organisations should have in place in regards to personal data
4. What rights data subjects have in regards to their own personal data, and how those rights should be enforced
The specifics can get pretty complex and there are a number of organisations already offering accreditation courses for privacy professionals to get up-to-speed with the specific changes and how they might impact your specific business.
The biggest headline around GDPR though is not the rights given to citizens (though they are considerable and will make for some interesting reading once people start requesting data from Silicon Valley giants like Google…).
Instead, the main headline is the potential size of fine that can be imposed for non-readiness. GDPR states the maximum fine for non-readiness is either the greater of either €20million or up to 4% of an organisation’s worldwide annual turnover.
For Google that would mean a fine in the region of $3.5billion!
But no need to panic. We’ve got your back and know that we can help with both our expertise and our industry leading data discovery software.