TECHNOLOGY INSIGHT
Claire Wright, data privacy officer at MHR, looks at what GDPR is and what organisations should be doing to comply GDPR – eat the elephant
W ith constant fear-based articles littering our social news feeds about the exponential costs of a data privacy breach, the importance and practicalities of the General Data Protection Regulation (GDPR) readiness is getting lost or ignored, which itself is creating an unknown and potentially costly business risk. Research shows us that many organisations are aware of its existence but have little or no direction. The purpose of this article is to dispel common myths and apply a practical approach to assessing and managing GDPR maturity. What is the GDPR? On 25 May 2018, the GDPR will come into force and replace current United Kingdom (UK) and European Union (EU) data protection legislation. Its purpose remains the same as the current regime: to protect the rights and privacy of individuals. Five years in the making (or, more specifically, debating), the GDPR presents the most significant change in twenty years to privacy legislation. The GDPR is a response for a harmonised approach to privacy in a world where data is seen as a commodity and used for commercial advantage. It’s EU law, so why comply? Organisations that are not planning to become GDPR-ready, or had started their GDPR-readiness journey then stopped when the Brexit results were announced, need to rethink their strategy. Let’s de-
of international turnover or € 20 million, the threat of which has begun to turn the heads of senior management to act. There is also the increased obligation on both ‘data controller’ and ‘data processor’ to be able to actively demonstrate compliance with the GDPR and the ability for supervisory authorities to bring legal action against both parties. Let’s maintain perspective though, as the best practice principles and conditions of processing remain largely the same. Therefore, organisations should be able to demonstrate and meet the new obligations with limited maturity required. Others, however, will need to take a deeper dive and map their journey of maturity over the next ten months. Key definitions Let’s revisit some of the key terminology so as not to cause confusion. ● ‘Personal data’ has a pretty broad meaning; it is “any information by which a living individual can directly or indirectly be identified”. This could be something as simple as a name or could be an employee number on an email which may mean nothing at first glance but with access to the payroll system could identify an individual. ● ‘Data controller’ is the big cheese: “the organisation or individual who determines the purpose and manner in which the personal data is processed”. Vague? In the context of payroll this would be the employer. The controller has overall responsibility for the protection of the personal data including that which is
bunk the myth that because we are exiting the EU we do not need to be GDPR compliant – we do. ...GDPR presents the most significant change in twenty years to privacy legislation The GDPR will apply to any company based in the EU and/or processing the personal data of EU citizens, leaving very few companies exempt from the obligations of this new regulation. The Queen even referred to GDPR in her speech on 21 June 2017, stating: “To implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.” A further confirmation that the UK will implement a UK Bill post Brexit which reflects the GDPR framework. What differentiates DPA and GDPR? There are subtle differences between the Data Protection Act (DPA) and the GDPR. The most significant of these being the increase in fines of up to 4%
| Professional in Payroll, Pensions and Reward | September 2017 | Issue 33 26
Made with FlippingBook HTML5