The General Data Protection Regulation (“GDPR”) is a European data protection law which became effective in May 2018. It applies globally
It requires data ‘controllers’ and ‘processors’, even if located outside the EU, to protect the ‘personal data’ of individuals within the EU.
Are there any penalties for breach? The penalties for breaching GDPR are severe: non-compliance can lead to fines of up to the higher of EUR20million or 4% of global turnover. These penalties also apply to organisations outside the EU.
What is 'Personal Data'? ‘Personal data’ is any information related to an individual.
What is a 'Data Controller'? A 'Data Controller’ is an entity located anywhere in the world which controls the contents and use of personal data of EU-based individuals.
What is a 'Data Processor'? A 'Data Processor ‘is an entity located anywhere in the world which processes personal data on behalf of a data controller.
GDPR gives individuals greater control on how their personal data is collected and processed by organisations. They may, for example, request the rectification or deletion of their data, object to profiling or automated decision making, or request a copy of their data.
Organisations, regardless of size, must adopt a strategy of ‘privacy by design’ regarding the processing of personal data. Appropriate technical and organisational controls must be adopted to manage the risks posed to individuals by the data processing activities.
Depending on the level of risk, the location of the processor/controller and whether the entity is a private or public body, organisations may need to conduct impact assessments, keep detailed records of data processing, appoint a EU Representative or a Data Protection Officer, and ensure and demonstrate compliance by conducting regular training and gap-analyses.
We cater for all types of organisations and have specialists available to assist public bodies and authorities.