What is GDPR and why is it important?
The General Data Protection Regulations (or ‘GDPR’ in short) has changed the way in which we, as data subjects, handle our data or information. The Regulation came into force on the 25 May 2018 becoming directly applicable to all Member States on the protection of personal data. As a result, the regulation enacted changes in the way in which we retain and process personal data.
Who is ultimately affected by GDPR?
This is dependent on whether companies are operating in EU jurisdictions (therefore bound by EU data protection) or organisations outside Europe who store EU citizens data. Entities which do not adhere to GDPR are subjected to extensive potential penalties. These can lead up to €20 million or 4% of the global turnover, dependant on which is higher. In view of this, entities must continue emphasising the importance of being GDPR compliant.
In order to assure compliance with GDPR, Grant Thornton offer renowned consultancy services to ensure utmost compliance with the obligations set out under the regulation. Moreover, Grant Thornton undertakes a familiarisation process with its clients to provide further guidance on good practice measures available.
So why is data protection legislation transforming?
Since 1995, the Data Protection Directive (Directive 95/46/EC) has determined how individuals’ personal data is protected within the EU. However, since its inception there have been vast developments in the sophistication and scale of data creation and gathering – for example through the emergence of social media, cloud computing and geolocation services. As the directive predates these developments, it’s no longer suitable to govern the current data landscape; it needs to be refreshed to address modern privacy concerns and facilitate consistency across the EU. This is what the GDPR does.
The new regulation introduces a huge range of changes. Underlying this shift is the EU’s ongoing agenda to safeguard its citizens and their private information. The GDPR establishes new rights for individuals and strengthens current protections by applying stricter requirements to the way businesses use personal data. If they fail to comply, the sanctions are significantly larger.
What this means for your business
The GDPR is a valuable opportunity to understand your business’s data and use it more effectively. However, it requires strict adherence to the new regulation and a clear understanding of the changes in order to avoid large penalties.
First, it’s critical to be aware that the GDPR supersedes all existing data protection acts, and that it increases businesses’ obligations around data protection and their accountability for failure. It also applies across the full spectrum of data engagement – from the collection of personal data through to its use and disposal. Your organisation needs to embed policies and procedures to ensure that it monitors its GDPR controls and documents its compliance.
The new rules apply to organisations of any size that process personal data. Whatever the nature of your organisation, the GDPR has a substantial impact.
Understanding the core changes
The GDPR introduces wide-ranging changes that require thorough understanding, internal stakeholder acceptance, appropriate preparation and implementation across the whole business. To provide an overview, we’ve addressed some of the key changes here.
Better rights for data subjects
The largest shift is that individuals benefit from greatly enhanced rights, for example, the right to object to certain types of profiling and automated decision-making. Consent requirements are also more stringent. Consent must be explicit and affirmative, it must be given for a specific purpose and it must be easy to retract. Individuals can also request that personal data is deleted or removed if there isn’t a persuasive reason for its continued processing.
Organisations have far more responsibility and obligation. They need to publish more detailed fair processing notices – informing individuals of their data protection rights, explaining how their information is being used and specifying for how long. The new regulation also embeds the concept of privacy by design, meaning organisations must design data protection into new business processes and systems.
Formal risk management processes
Organisations must formally identify emerging privacy risks, particularly those associated with new projects, or where there are significant data processing activities. They must also maintain registers of their processing activities and create internal inventories. For high-risk data processing activities, Data Protection Impact Assessments (DPIAs) is mandatory. It is also compulsory to appoint a Data Protection Officer (DPO).
Reporting data breaches
As part of the drive for greater accountability, data breach reporting has became stricter. If a significant data breach occurs, it must be reported to the Data Protection Commissioner within 72 hours and, in some cases, to the individual affected without undue delay.
Penalties for non-compliance with the GDPR are risen considerably, up to €10 million or 2% of annual global turnover (whichever is greater) for minor or technical breaches, and €20 million or 4% of turnover for more serious operational failures.
Data processing requirements
The regulation also imposes new requirements on data processors, and includes elements that should be addressed contractually between data processors and data controllers.
What Grant Thornton can do for you
Compliance with the General Data Protection Regulations has become an important factor within the business environment assisting in business growth and increased trust. As a result, Grant Thornton provides relevant information and assistance to anyone required to abide by the General Data Protection Regulation.
Grant Thornton has an experienced team to assist you and your business in ensuring adequate compliance with the GDPR. Our services vary according to the needs and requirements of the client, which include but are not limited to:
- GDPR consultancy services
- GDPR compliant audits
- Risk assessment and consultancy
- Policy drafting and reviews for pre-established documentation
- Accredited training sessions:
- Beginner level training
- Intermediate level training
- Specialised GDPR training
The specialised training module is focused on providing a detailed perspective and knowledge on the GDPR for Data Protection Officers whereas the intermediate level training is suited for any other individuals tasked with handling GDPR matters (e.g., data breaches).
To discuss how we can help your business understand its GDPR requirements and become compliant with the new regulation, get in touch with one of our member firm specialists.
Grant Thornton also provides services that may improve GDPR controls within the business’ operations and procedures: