The GDPR will be enforced from 25 May 2018. UK organisations that process the personal data of EU residents have only a short time to ensure that they are compliant.
Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
The GDPR introduces a number of key changes for organisations:
- If your business is not in the EU, you will still have to comply with the Regulation
- The definition of personal data is broader, bringing more data into the regulated perimeter
- Consent will be necessary for processing children’s data
- The rules for obtaining valid consent have been changed
- The appointment of a data protection officer (DPO) will be mandatory for certain companies
- Mandatory Data protection impact assessments have been introduced
- There are new requirements for data breach notifications
- Data subjects have the right to be forgotten
- There are new restrictions on international data transfers
- Data processors share responsibility for protecting personal data
- There are new requirements for data portability
- Processes must be built on the principle of privacy by design
- The GDPR is a one-stop shop
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit.
Penalties under the GDPR
The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency. Data breaches are commonplace and increase in scale and severity every day.
The Brexit question
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the European Union, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.
GDPR and Drupal
A module available for Drupal aims to make sure your Drupal site follows the guidelines and legislation set by the Eu / GDPR; this includes checks and recommendations for configuration and contrib modules that would fix issues as well as general GDPR things that won’t be anything to do with Drupal directly. The checklist can also be used as proof to authorities that your company is following GDPR regulations.
How Ixis are preparing for GDPR
At Ixis we are doing a number of actions to ensure we are prioritising data protection and information security is a top priority for us and our clients:
- Ixis are undergoing ISO27001 Information Security compliance which will be completed in 2017.
- Discussing GDPR with our clients so they are aware we are prepared and their websites meet the regulations.
- Understanding how our suppliers and partners are preparing for GDPR.
- Internal discussions and meetings making Ixis staff aware of GDPR and how it affects their day to day role.
- Reviewing and altering the consent for the data we hold on clients and prospective clients.
- Removing unnecessary data we hold on clients and individuals.
What can you do to be prepared?
The 25th May 2018 will be upon us in a blink of an eye and so it is recommended that you are prepared well in advance for the implementation of the new regulation.
The Information Commissioner’s Office has a wealth of resources to assist you in taking the next steps to becoming compliant with GDPR including a 12 step checklist for what to do in preparation: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Furthermore, there is a useful self assessment tool provided by the ICO which can be found at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/