From the 25th of May, these new rules will apply to any organisation that processes personal data relating to an EU citizen.
What is personal data? Simply put, this is any information or piece of information that can identify a living individual.
The General Data Protection Regulation (GDPR) is an evolution of our existing data protection act (DPA). The Data Protection Act is now over 20 years old and these new rules will address a number of its shortcomings.
What is now considered personal data has been updated to reflect the modern world we live in. Biometric data, genetic data, IP addresses and pictures of you all now fall within the regulations scope. These new rules also require organisations be able to demonstrate and evidence their compliance.
For example, organisations must now document in detail any processes which make use of personal data. They will also be required to undertake risk assessments should they process sensitive types of personal data.
The above is just two small snippets from the new standard. In summary, the new rules are complex and far reaching. For small organisations, the task of becoming compliant is considerable and the effort required proportional to the volume and nature of personal data you collect and process.
Consequences of the new rules
Our local authority The Information Commission will oversee and enforce these new rules just as they did with the Data Protection Act.
Under current DPA rules, the maximum fine an organisation could be liable for in the event of a breach was £500,000.
With GDPR, the information commission can now impose fines of up to 20 million Euros or 4% of annual worldwide turnover (whichever is the higher value).
Another key change with these new rules is that both data controllers (the party which collects the data) and data processors (the party which performs operations on the collected data) are now both deemed liable.
For more information on the new standard please visit the Information Commissions website.
Polymorph can also help you navigate a course towards compliance and offers consultancy services to prepare you for the 25th of May deadline. We are holding a coffee and cake morning with an introduction to GDPR and how it will affect your organisation. For more information click here.