Potential fines of up to £17 million or 4% of annual turnover

Comes into force

25th May 2018

All Businesses will be effected!

What is the GDPR?

On May 25 2018, the 1995 Data Protection Directive will be replaced by the General Data Protection Regulation (GDPR) – 2018. This will impact the whole of the EU Zone which currently spans 28 member countries and half a billion citizens.

The new regulation aims to harmonise how data is handled across the whole of the EU, but will affect organisations inside or outside the EU Zone. The data protection world has changed radically over the past 20 years – ‘seeing what you can find’ from backup tapes will no longer suffice. These new regulations bring massive changes.

The key elements of GDPR are:

  • Mandatory breach notifications – fast response and large fines
  • The ‘Right To Be Forgotten’ – necessitating the ‘ability to be found’
  • Consumer profiling restrictions – personal data should not be used without consent
  • Be accountable for your data – appoint a Data Protection Officer (DPO)

The bottom line is that the option to weigh costs of compliance against the risk of prosecution will disappear. It will also dissipate the belief that non-disclosure will protect the reputation of a company. In fact, earlier disclosure may be seen as an honourable and responsible act in a world where data theft and misuse is becoming more common.

The real purpose of GDPR is to shift control of personal data back to the owner of that data, rather than submitting all rights once a form is filled in, or an order is placed. The situation in future will be one of the owner allowing access to personal information rather than passing off ownership of submitted data.

From an information management perspective, the regulations provide governance over data malpractice giving it real teeth with the threat of fines of 2-4% of annual revenue. If an organisation fails to ask for explicit consent, giving accurate details of what is being taken and how it will be shared, the company can be held to account.

Ownership and accountability will be in the hands of a nominated Data Protection Officer, but any negligence proven may also be considered a failure at boardroom level.

Probably the greatest weight to be laid upon data management will be the Right to be Forgotten. From a data storage technology viewpoint, the biggest impact will be the need to support this by enabling the “ability to be found”. It will require organisations to have access not only to the data, but the context associated with data throughout the environment. Discovery capability will be essential. To comply with this regulation will demand a very specific focus on elements of the data, some of which are easily accessible, but others are really difficult to ascertain with accuracy:

GDPR demands an accurate and specific lens on data:

  • Where is it located?
  • Who is the actual author?
  • Is it personal information?
  • Where is every version stored?
  • Who has access to the data?
  • Who is the subject?
  • With which departments is this individual associated?
  • Is the content sensitive?
  • Where is every piece of data relating to this person?

Want to know more about GDPR or want to become compliant, then please don’t hesitate, contact us today.