General Data Protection Regulation (GDPR) is set to go into effect on 25 May 2018. But what is this regulation, what will it change and why should those in finance take notice?
What is it?
GDPR is said to be the “most important change in data privacy regulation in 20 years”. It is a regulation that was approved by the EU parliament in April 2016 and is set to overthrow the Data Protection Act 1998. The aim of this regulation is to strengthen the protection of data by harmonising data privacy laws across Europe.
Whom, what and where does it apply?
It is intended to give people more control over their personal data and businesses a clearer and simpler legal environment to operate in. It will apply to all companies that are based in the EU that hold and process personal data. This is regardless of the size of the business and whether the processing of data is taking place outside of the EU or not. The personal data is in reference to all data by which a person can be identified. This includes email addresses, names, bank details, photos, medical information or even a computer’s IP address. Sensitive data is in reference to genetic and biometric data that can be used to identify an individual.
One of the most poignant changes that will occur because of GDPR is the issue of consent. All companies will have to ensure they provide clear requests for consent in a way that is easily understood and accessible. This is as well as ensuring that individuals find it as easy to withdraw their content as it was to give it.
If a breach of data occurs, notification will be given within 72 hours of the breach. Failure to comply or change the breach will then result in heavy penalties for the business in question.
Data access and erasure
When GDPR goes into effect, individuals will have the right to request whether their personal data is going to be processed. As well as where it is going to be processed and for what purpose from data controllers. Individuals will also be able to request and receive a copy of their personal data in electronic format from the controller. This is as well as having the right to be forgotten, by requesting the controller deletes their data.
Data Protection Officers
Data Protection Officer (DPO) will be required to be appointed by organisations that undertake large scale systematic monitoring of individuals or large scale processing of sensitive personal data, as well as public authorities. The DPO will be in charge of advising an organisation and its employees on the compliance obligations of GDPR. As well monitoring GDPR compliance, training employees and conducting internal audits. They will be the key contact for individuals that have their data processes. The DPO has a number of responsibilities, so organisations should ensure that they report to the highest management level, have the ability to operate independently and have sufficient resources in order to carry put their GDPR duties.
How will this impact those in finance?
Considering the wide reach of the GDPR regulation, financial organisations of all kinds will be affected. They will have to re-model their existing systems and make way for systems that comply. They will have to pay special attention to client consent, data erasure, consequences of a breach, vendor management and pseudonymisation. It is slightly worrying when a study that was published earlier this year revealed that 82% of the UK’s small and medium businesses were unaware of GDPR. That is an alarming rate and we hope this changes quickly.