The General Data Protection Regulation (GDPR) is coming into force in the EU from May 2018.
GDPR is about protecting the privacy of an individual’s personal data. It’s been introduced to bring different rules across EU countries into a single set and to make sure companies respect and take care of the personal data that they hold on their customers and prospects.
There are five key elements of GDPR that are most important and most relevant for you now:
1. The Fines
GDPR brings fines of up to €20,000,000 or 4% of Global Turnover of a business, whichever is the higher. You should consider GDPR for each part of your business that processes personal data and assess the risks to the individuals whose data you process. You should also consider the commercial, financial and reputational risk to your company.
2. The Principles
Personal data must be: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and up to date; kept for no longer than necessary; and processed with appropriate security against access or loss.
GDPR demands that companies not only comply with the rules but are able to demonstrate how they comply. You may need more policies and statements, and you will have to ensure that your senior team and staff are adequately trained. You should undertake a Privacy Impact Assessment (PIA) (specific assessment processes defined in GDPR) to determine what the risks are and how to mitigate them. You’ll need to do much more record keeping and ensure your IT security and processes are up to date and appropriately strong.
4. Lawful Basis
The GDPR requires that data is processed lawfully and this is achieved by one of six Lawful Bases stated in the GDPR. The three relevant to most companies are consent, contractual necessity and legitimate interest.
The Information Commissioners Office (ICO) in the UK have confirmed that GDPR Consent is not mandatory for processing data and is just one Lawful Basis that you can rely upon and as previously discussed, consent is potentially the most difficult to successfully achieve. The ICO suggest Legitimate Interest is the better option for most companies.
5. Data Breaches
The rules around reporting of data breaches (along with the requirements to take technical and organisational measures to avoid them in the first place) have been heightened. Significant data breaches must be reported to the local supervisory authority within 72 hours of discovery and you must notify personal data breaches to the affected data subject without undue delay.
These five points provide a sound base to gain an understanding of GDPR and the practical implications. It’s worth taking the time to investigate more to ensure you’re prepared well before the enforcement date of May 25th, 2018.
Invenias are the world’s largest provider of executive search software. Request a free no obligation demo to learn why over 900 search firms and in-house executive search teams across the globe rely on their innovative solutions to help them identify and attract the best strategic talent.
For further information and resources relating to the GDPR visit www.invenias.com/gdpr.
A cautionary note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.