General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), widely regarded as the biggest shake up of data protection law in 20 years, comes into force on 25 May 2018 and regardless of size, will affect every business located in the EU or trading with EU businesses which collects, stores or uses personal information.

There are therefore very few (if any) businesses in the UK for whom the GDPR will have no effect.

What has changed?

The new Regulation enhances individuals’ data protection rights and introduces a greater obligation for businesses to be transparent in how they use personal data.

All affected businesses are required to have appropriate policies and procedures in place to ensure that personal data is collected and processed lawfully. They will also need procedures to deal with Data Subject Access Requests (requests from individuals to provide details of all data held about them) and data breaches. 

Individuals will have the right to ask data controllers to erase all data held on them and to obtain a copy of their own personal data in a structured and machine-readable format.

Greater data protection rights for individuals will inevitably increase the regulatory burden for organisations. However, it is also an excellent opportunity for organisations to be proactive and get the personal information they hold in order. 

Why does it matter?

Changes under GDPR are aimed at moving companies away from a tick-box compliance attitude to the security and privacy of personal information, and towards a company-wide approach to managing the lifecycle of personal data.

The top ten key points are:

• GDPR has a wider geographic scope. You do not have to be based in Europe for it to apply. Any company that does business with EU residents will be subject to GDPR.
• Data Protection Authorities (DPAs) will have the power to enforce much more severe penalties for breaches of personal data. There is a tiered approach to fines under GDPR. The maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data, is 4% of annual global turnover or €20 million (whichever is greater).
• The definition of ‘personal data’ has widened and now explicitly includes online identifiers such as IP addresses and mobile device identity.
• Organisations will need to attain explicit consent from individuals regarding the processing of their data, and companies will no longer be able to use long, illegible terms and conditions. Individuals will also have more rights regarding the processing of their data, for example relating to data erasure (often referred to as the ‘right to be forgotten’) and data portability, which is the right to transmit their data to another controller.
• Technical and organisational measures regarding the protection of personal data are to become mandatory, with the GDPR outlining examples of the measures expected. These relate to the encryption of personal data, the ability to ensure confidentiality, integrity, and availability, and processes to test the effectiveness of security measures.
• Data processing registries will become mandatory. This means that organisations will need to keep a written (electronic) record of personal data processing activities, capturing the lifecycle of the data and the name and contact details of the data controller.
• The legislation is focused on attaining data protection by design and by default. Privacy by design is a concept that has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

How can the AC help get you prepared?

We have put together an ebook “Discover how GDPR will affect your Coaching Business” to give you a better insight to the changes and what they mean to you as a coach. We will also be sending a series of emails over the coming weeks to give you further insight into Data Collection, Protection and Security. For further information visit our GDPR pages or the Information Commissioners Office.

Complimentary Webinar with Michael Brennan – “Getting Set for GDPR (a plain English Guide)”

Our complimentary webinar with Michael Brennan is now SOLD OUT. However, if you would like to register for the recording, please click below and enter your details. Once the webinar is made available you will be notified. 

Other resources

Over the coming weeks, the AC will be sending out a series of emails looking at the key points for GDPR and what they mean to you.

What does GDPR mean for your business

Data Collection Best Practice: The Basics

Data Protection Compliance Checklist

Data Protection - What to teach employees

Data Breach - 4 Things to watch out for

A copy of the legal text, including all the recitals, can be found on the EU legal website here.

You can also find a breakdown of what is required on the Information Commissioner's website (UK) or, for our Ireland members, on the Irish Data Protection Commissioner's website.