How GDPR Impacts Data Management Practices
In insight / By Lydia Cooper / 30 January 2018
On May 25th 2018, Europe’s General Data Protection Regulation (GDPR) became implemented into legislation and this meant that for all those within the IT and data management industry, life in the workplace was about to drastically change.
In order to make sure that you and your workplace are continuing to adhere to the changes and legislation of data protection, we’ve compiled a guide to some of the essential things about GDPR that you need to know; helping to ensure that you’re ahead of the data management game.
What is GDPR?
Europe’s General Data Protection Regulation (GDPR) is a new legislative law that will help reinforce and strengthen data protection and provide heightened security to both individuals and companies across the EU. Although the UK currently has the Data Protection Act 1998 implemented into legislation, the GDPR will override and tighten these pre existing laws and ensure that all of Europe is united and subject to these new data protection laws.
Who Does GDPR Affect?
Although it’s only the 28 states of Europe that will fall under the direct legislation of the the GDPR, this doesn’t mean that only the EU will be affected by these changes. In fact any company that provides services or offers goods to European data subjects that either manage, hold or process data of those living with the EU is affected as a result.
How Does GDPR Affect You?
When working out how GDPR affects you and your work, it’s first important to establish whether you’re a processor or controller of data, as this will drastically alter the implications of the General Data Protection Regulation within your workplace.
According to Article 4 of the GDPR, a processor is ‘ a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.’ whilst a controller is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’
If your role falls under ‘processor’ then you are subject to a significant number of restrictions under the controller. For example, processors can’t engage another data processor without the express permission of the controller. In contrast to this, the controllers are responsible for handling personal data, and as such are tasked with taking charge of ensuring that the GRPR is upheld and complied with. However it is worth noting that both processors and controllers are subject to fines if the legislation of the GDPR is not upheld, and could face a minimum of a whopping 20 million euros fine.
Important Changes To Be Aware Of
Although there are many changes that the General Data Protection Regulation has brought to the role of data management, there are some changes that are more notable than others.
Primarily it’s important to know that as of March 25th 2018, all data breach notifications have to be handed to the relevant supervisory authority within 72 hours of a data breach where it is likely to “result in a risk to the rights and freedoms” of individuals. This new limited time frame is a massive change to the system and needs to be kept on top of to avoid breaching the GDPR.
It’s also worth noting that data subjects now have significantly more rights to their own personal data, as they now have the opportunity to both access and erase it. If a data subject so wishes, they are now able to find out where and why their data is being processed, and have the rights to be given a free electronic copy of this data. They may even erase this data under the ‘right to be forgotten’ but this must be taken under consideration following a ruling based on the public’s interest.
GDPR Data Protection Officers
As part of the legislation, companies must also appoint data protection officers, whose job it is to advise and monitor both the processors and controllers; ensuring that the GDPR is being implemented effectively. Although not every company is obligated to appoint a DPO, almost all businesses within public sectors have to have one, as well as private companies who either regularly monitor subjects or who process conviction information.
To help ensure that your organisation is adhering to the GDPR, why not contact one of our professional services team today and we’ll work with you to find the best possible services and programmes for you and your business.