What is GDPR?
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
- GDPR came into effect on the 25th May 2018.
- Compared with previous data protection regulations:
- Significant fines may be imposed.
- Individuals have more rights and ability to enforce those rights.
- The organisation needs to know how to respond to data subject requests.
- Data breaches require formal reporting to the Information and Data Protection Commissioner.
- The GDPR requires that organisations abide by at all times with seven principles when collecting, storing or sharing data (‘personal data’) on individuals.
- The seven GDPR principles require that organisations.
- Are transparent when collecting personal data.
- Collect, store and share minimum data required for lawful reasons.
- Use data for the purpose originally communicated.
- Have processes in place to keep data accurate and updated.
- Store data according to a lawful retention period.
- Handle data securely and respect individuals’ rights, including employees, customers and suppliers.
- Are accountable and can provide evidence of complying with the GDPR.
What are the penalties?
- Administrative penalties may be imposed if found to be non-compliant:
- The highest of 10 million EUR and 2% of total worldwide annual turnover if, for e.g. data is not securely collected, shared and stored.
- The highest of 20 million EUR and 4% of total worldwide annual turnover if, for example:
- Collecting and storing data without consent, when consent is required.
- Infringing individuals’ rights under the GDPR.
- Personal data is transferred to a country outside of the EU/EEA without adequate safeguards.
Who is affected?
- Any business located in the EU/EEA area.
- Any business outside of the area but dealing with personal data on EU/EEA residents.
Who is not affected?
- Organisations dealing with only the following:
- Information related to companies (i.e. company telephone number).
- Information which is anonymous.
- Individuals who use information for personal or household activities.
- Organisations outside of the EU/EEA, dealing with data on individuals not residing in the EU/EEA.
How We Can Help
Nexia BT’s Advisory team is equipped with the necessary tools, knowledge and expertise and will carry out an assessment to understand how the organisation collects, shares and stores personal data.
The team will assist the organisation in understanding its obligations as a controller and/ or processor under the GDPR and will provide guidance and recommendations tailored to its operations.
As part of its advisory services, the team is also able to provide face-to-face information sessions to staff to familiarize the organisation’s personnel on the GDPR, including on the procedures to report data breaches and to address requests from data subjects.