In this GRPR overview, you will find information on how we got here and the key points.
GDPR has come about to give a unified standard to data protection throughout the EU. The act which will come into force on May 25th is one of the most lobbied and discussed bit of EU law and yet leaves unanswered questions and grey areas.
The key point for organisations is that this applies to all organisations and May 25th, 2018 is the date compliance is required so if you have not started then time is running out
GDPR overview, The key differences
- This applies to all organisations or all sizes and types
- Documented proof is required showing where all the relevant data is held, security levels, processing and internal policies
- The data rules are basically the same across all UK states with some local variations
- Data subjects have the right to know which database they are on, why and what processing is involved. They can ask to be excluded from processing or complete removal
- Freely given “consent” is a requirement from all data subjects and documented
- If data is processed outside the EU then it has to be to GDPR standards
- The fines are set to a max of £20M or 4% whichever is the greater
The grey areas
Maintaining data security is a requirement and many have looked at encryption as a potential tool. This is probably fine for local drives but where the data is on a 3rd party server or could storage system then the 3rd party or the Cloud provider may also have the encryption key.
There is little clarity over business data particularly around the area of email addresses. Clearly, “info@” is a business email address. Is firstname.lastname@example.org a business address or a personal address? Logically its business but messages can be sent directly to his pc, phone, tablet. There is no clarity on this in the regulations.
The requirement to ensure companies outside the EU will process data under GDPR rules could prove interesting. Particularly some countries have existing data protection rules which do not match GDPR. To make an assessment Data protection officers are going to have to ensure data is only process to GDPR standards and the processing organisation complies