Think you are immune from GDPR? Think again!
What is GDPR?
The new EU (European Union) data protection framework – the General Data Protection Regulation (GDPR) will replace the current EU data protection directive and become "law" in all EU member states without the need for national legislation.
If you have paid "lip service" to data protection up to now, this is when you need to sit-up and take notice. It comes into effect on 25 May 2018, however it contains onerous obligations which will take time to prepare for. It is very important to start your preparations now.
Microsoft’s Chief Privacy Officer Brendon Lynch described GDPR as 'The most significant change to EU privacy law in two decades'.
Who is caught by GDPR?
If you are feeling safe because your organisation is outside the EU, then think again. GDPR catches data controllers and processors outside the EU, whose processing activities offer goods or services (even if they are free) to EU data subjects. Many organisations will need to appoint a representative in the EU.
This means in practice that a company outside the EU which is targeting consumers inside the EU, will be subject to GDPR. This is not the case with the current data protection legislation.
As a quick guide, if you can answer yes to any of these questions, then you need to adhere to GDPR:
- Does your organisation have an establishment in the EU, irrespective of where data processing takes place?
- Do you process the data of EU subjects?
- Do you offer goods or services within the EU?
- Do you monitor behaviour within the EU?
If, having answered these questions, you still feel that you are not caught by GDPR, then check again. Very few organisations will not be impacted by this change.
Why do I need to take action now?
The reach of this new data protection legislation extends outside of the EU geographic borders, so there is nowhere to hide.
In addition, this law has real teeth - with fines up-to 4% of the organisation's (group) global annual turnover or €20 million (whichever is the greater). As well as this, authorities can ban you from processing and individuals can sue you for compensation.
If you are a director, make sure you study your director's insurance, as many policies do not include protection from criminal sanctions (for infringements of GDPR) or for running an organisation with lax security or controls.
Isn't it just an "IT" project?
Absolutely not! GDPR touches all parts of an organisation including policies, processes, people, behaviours, client agreements, contracts.... and the list goes on. IT will be a significant element of the project but it is without doubt, not a project that should be driven by "IT".
As an aside, very few projects should be driven by IT. Other than purely technical infrastructure work, projects should be driven by the business.
If you are reading this and thinking you have plenty of time until GDPR comes into force in May 2018, then think again. GDPR is far more onerous than the current data protection legislation. Identifying and performing all the work needed to become compliant is a large undertaking and you need to allocate plenty of time and resources to get it right.
Here are some places to look for GDPR information
- GDPR, data protection and legal advice from Callington Chambers
- UK information commissioners office
- Data protection self assessment toolkit
- Channel Islands Data Protection Officer - GDPR
- European data protection law (European Commission)
- Channel Islands guide to GDPR (Carey Olsen)
- GDPR Survival guide (Linklaters)
- EU GDPR (Allen and Overy)
Recommended for you ...
Please note that I am not a legal expert. Please take professional advice.