The deadline has long passed for you to be GDPR compliant. Still unsure? Let us help.
UK study has found that organisations of all sizes are still not compliant with the regulation
Back in 2018 a new directive for data privacy was launched – GDPR – General Data Protection Regulation. At the heart of this directive are the improved regulations surrounding keeping personal data safe and of course, increased fines for non-compliance
The maximum fine for serious infringements is 20 million euros or 4% of global turnover. (whichever is greater). Less serious issues, such as failure to notify about a breach of data carries a 2% of turnover fine.
GDPR now also enforces the requirement to inform the ICO (Information Commissioners Office) if a data breach occurs within 72 hours of becoming aware of it.
GDPR is a requirement for all EU Businesses – Our 7 Day GDPR Tips & Compliance Email Series explains all that you need to know
Discover: Identify what personal data you have and where it resides
The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.
Does the GDPR apply to my data?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
If your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed, or stored outside the EU if the data is tied to EU residents.
Building your inventory
To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal data, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
Manage: Govern how personal data is used and accessed
The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation provides information on the processing of data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.