We've had many regulatory and quality managers contact us Qualsys recently about the new EU General Data Protection Regulation (GDPR), what it means for them, and how they can use EQMS to manage the changes.
This article is the first in a series we hope will help you prepare for GDPR with confidence. We've answered four GDPR FAQs.
1) Why the new regulation?
GDPR replaces the Data Protection Directive 95/46/EC, which determines how personal data should be processed and used within the EU. It's been designed to:
- Combine all data protection laws across Europe
- Strengthen data protection for all EU citizens
- Reshape the way EU organisations approach data protection
The regulation aims to protect all EU citizens from privacy and data breaches in an increasingly digital, data-driven world – one that's vastly different from the time in which the 1995 directive was established.
GDPR will be enforced across the EU from 25 May 2018, regardless of what happens with Brexit. The changes will take many organisations a long time to implement, so we recommend that you get started right away!
2) What happens if we get it wrong?
There's a lot at stake – fail to comply and you could be fined up to 4% of your global annual turnover.
The fine you face will depend on the type of breach and any mitigating factors. But know that they're meant to penalise your disregard for the regulation!
3) What does GDPR cover?
GDPR covers the data subject, the data controller and the data processor.
Your customer, employee, user or any EU citizen who's entrusted you with their personal data.
Personal data means any information relating to an identified or identifiable individual – for example, their name, address, social data, history.
Who data subjects entrust with their data. And the responsible party in deciding what happens to the data, what it's used for, and how it's handled.
GDPR extends the requirements for data controllers.
Any entity that handles personal data on the data controller's behalf.
If your organisation was considered a controller under the old directive, it'll most likely also be under GDPR.
Although the definitions of "controller" and "processor" haven't changed, their responsibilities have been extended. So where the old directive made the controller mainly responsible for data protection, GDPR will give the processor that responsibility as well.
4) Who in my organisation does GDPR affect?
These privacy agreements herald a new era in terms of how EU citizens' data are handled. With new obligations relating to:
- data subjects' consent
- making data anonymous
- notifying the relevant people when data protection is breached
- data transfers across borders, and
- appointing data protection officers
GDPR forces companies who handle EU citizens' data to reform their operations in a major way.
Getting to grips with the regulation can be more challenging if you're a global business. GDPR doesn't only cover organisations located in the EU, but the use of personal data relating to EU citizens by anyone in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you could be prevented from trading with the EU.
Most organisations will need to make lots of changes to policies, processes, strategies and even systems to ensure they comply with GDPR. This poses many challenges for quality and compliance professionals.
What you should do now
Read Part 2 of our series, in which we explain how to prepare your employees for GDPR.