EU General Data Protection Regulation (GDPR)
This information is intended to support you through your data protection and privacy journey, and should not be used as a substitute for legal advice.
What is the EU General Data Protection Regulation?
The GDPR introduces far-reaching obligations for companies that collect, use, or otherwise process personal information.
- The GDPR is the EU’s reform of its privacy framework.
- Currently, the EU’s privacy framework consists of a bundle of national data privacy laws.
- The GDPR will introduce a single framework that is directly applicable in all EU Member States; however, a large number of national customisations remain possible.
- The GDPR contains the same six core data protection principles, but there are significant changes and additional requirements. For example, the GDPR introduces certain enhanced rights for covered individuals, such as data portability rights.
To whom does the GDPR apply?
- Companies established in the EU that process personal information;
- Companies based outside the EU that offer goods or services directly to individuals in the EU (regardless of whether payment is required), or monitor behavior of individuals in the EU (for instance, through customer profiling).
Enforcement begins on May 25, 2018
Supervisory authorities will have the power to levy fines of increasing levels of severity, up to EUR 20 million or 4% of a company’s group global annual turnover of the past financial year.
What’s Dash Information Systems doing to prepare for GDPR?
We have taken steps to conduct detailed data inventories and are implementing processes and making enhancements designed to comply with the requirements of GDPR. We realise the need for ongoing efforts to support the privacy and security of personal data entrusted to us, and we are committed to protecting such data in line with the requirements of GDPR.
What can you do to prepare?
- Familiarise yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
- Consider creating an updated inventory of personal data that you handle. This will help identify and classify data.
- Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
- Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
What is a data controller?
- The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.
- If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).
International data transfers
- If your organisation operates in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
- The Article 29 Working party has produced guidance on identifying a controller or processor’s lead supervisory authority.
Stay informed: Stay abreast of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you. We recommend regular review of the Information Commissioner’s website, which is the UK representative within the EU working group: Article 29.