By Mark Miller, Business Unit Director, Learning Solutions

The General Data Protection Regulation - what does it mean for your organisation?

The introduction of the European General Data Protection Regulation (GDPR) heralds the most significant change to data protection law in the EU, and globally, in recent years.

The EU General Data Protection Regulation (GDPR) was adopted in April 2016 and will take effect across the European Union (EU) on 25 May 2018, when it supersedes the 28 current national data protection laws based on the 1995 Data Protection Directive (DPD).

The purpose of GDPR

Introduced to keep pace with the modern digital landscape, the purpose of the new Regulation is twofold:

1.To improve consumer confidence in organisations that hold and process their personal data by reinforcing their privacy and security rights consistently across the EU

2.To simplify the free flow of personal data in the EU through a coherent and consistent data protection framework across the member states.


Does it still apply with Brexit happening?

For those who think that Brexit might mean the UK does not need to worry – think again. It will become UK law and is a prerequisite for all businesses and keepers of data who operate in or trade with the EU. UK organisations handling personal data still need to comply with the GDPR, regardless of Brexit.

The government has confirmed that GDPR will apply in the UK, a position endorsed by the UK’s Information Commissioner.

A matter of urgency

Every organisation that processes or shares personal data now has less than 18 months to comply with the new Regulation. This involves organisations understanding what personal data they currently hold or process and the risks to that data, adapting their business processes and infrastructure, implementing tools and compliance processes, and changing the way they collaborate with suppliers.

In some instances, those changes could be significant and work will need to start as a matter of urgency. Bear in mind that every organisation in the EU is simultaneously faced with the same timetable, and that skilled compliance resources are already in short supply.

Regulatory compliance may be viewed by many as an administrative burden. However, ignoring the GDPR or getting it wrong could have costly repercussions: organisations found to be in breach of the Regulation face administrative fines of up to 4% of their annual global turnover or €20 million – whichever is greater.


EXAMPLE: Data transfers outside the EU

The Regulation prohibits the transfer of personal data outside the EU to a third country that does not have adequate data protection. The European Commission has the power to approve particular countries as providing an adequate level of data protection, taking into consideration the data protection laws in force in that country and its international commitments. At present this list is Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

For data transfers to any country not on the list, there must be a legal contract that stipulates that the non-EU recipient agrees to the data protection safeguards required. The Regulation explicitly recognises and promotes the use of binding corporate rules as a valid data transfer mechanism within groups of companies. Approved codes of conduct also can be used for data transfers.

There are six main principles

  1. Personal data must be processed lawfully, fairly and transparently

  2. Personal data can only be collected for specified, explicit and legitimate purposes.

  3. Personal data must be adequate, relevant and limited to what is necessary for processing.

  4. Personal data must be accurate and kept up to date

  5. Personal data must be kept in a form such that the subject can be identified only as long as necessary for processing.

  6. Personal data must be processed in a manner that ensures its security.


What might this mean for your organisation?

Firstly you may need to address compliance issues. This will include the assessments and transitional systems changes to meet compliance. There may be new internal requirements and measures to put in place that will have commercial impacts – leading to a need for capability building, compliance coverage, leadership and transformational programmes to be implemented. It changes the way data is managed, created and used. Much of the Big Data growth relies on data that will fall under the EU GDPR and this is by design.

To meet the principles above there will need to be a demonstrable, auditable and effective data management in place. You may need to bring in specific data management skills to do this.

We are already building curricula for clients that will implement substantive changes to capability in this field. We have partners (such as IT Governance UK) who are experts in these areas and with whom we work with to bring new learning products to the market to ensure clients are in good shape to comply by May 2018.