The GDPR primarily seeks to provide unified and clear rules on stronger data protection that is fit for the digital age, giving individuals more control of their personal information processed by companies and easing law enforcement. GDPR orchestrates the harmonisation of data protection law across the EU.
The new regulation will also affect non-European companies that offer goods or services to – and or monitor the behaviour of – European Union residents, and therefore process any of their personal data.
The GDPR introduces many key changes that organisations need to consider:
- Non-EU businesses will still have to comply with the Regulation
- The definition of personal data is broader, widening the regulated perimeter
- Consent will be necessary for processing data
- Rules for obtaining valid consent have been changed
- The appointment of a Data Protection Officer (DPO) will be mandatory for certain companies and activities
- Mandatory Data Protection Impact Assessments (DPIA) have been introduced
- New requirements for data breach notifications – within 72 hour of the breach
- Data subjects have the right to be forgotten
- New restrictions on international data transfers
- Data processors share responsibility for protecting personal data
- New requirements for data portability
- Processes must be built on the principle of privacy by design
Fines for non-compliance with the GDPR depend on the infraction. In the case of a personal data breach, the fine is up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher. For other infringements of GDPR provisions, the fine is up to 2% of annual worldwide turnover or €10 million, whichever is higher.
The Brexit Question
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. It will come into force before the UK leaves the European Union, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.
Support adapting to the GDPR
The team at Core Business Solutions has many years of experience in the application of data protection systems and processes whether that be technical, organisational, legal or practical application. This includes:
- Data Protection – Legal and Governance Frameworks
- Data Flow Mapping, Gap Analysis and Impact Assessments
- Policies and procedures
- Information security
- Incident management
- Compliance Frameworks and documentation (ISMS and PIMS)
- Project Management
- Data Protection Officer role
How we work
Data Flow Mapping – Core will work with you to create an inventory of the personal data held and shared by your organisation, and develop data flow mapping of your processes.
GDPR Gap Analysis – Core can provide a detailed assessment showing your organisation’s current GDPR compliance position, and a remediation plan to address any gaps and risks.
Data Protection Impact Assessments (DPIA) – Core can provide an assessment of the data protection risks associated with your processes and a remediation plan to mitigate those risks.
GDPR Compliance Frameworks – Core will develop a privacy compliance framework to provide a structure for the management of personal data that can be used to ensure you comply with the GDPR.
BS 10012 – compliant Personal Information Management System (PIMS)
ISO 27001 – compliant Information Security Management System (ISMS)
The team at Core are experts in Business Continuity and Resilience, so we can help you protect your business, your people and your assests.