WHAT IS THE GDPR
The General Data Protection Regulation (GDPR) is the binding law that will regulate data protection across the European Union (EU). The GDPR comes into force on 25 May 2018, and will replace the Data Protection Directive 95/46/EC. The GDPR will harmonise data privacy laws across the EU. In doing so, the aims of the GDPR are to give people more control over how their personal data is used, and to give businesses a simpler, clearer legal environment in which to operate.
The GDPR will also apply to data controllers and data processors located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Download: General Data Protection Regulation of the European Union 2016/679
Promoting the lawful processing of data
APPLICATION OF THE GDPR
Data protection Africa and Europe
The GDPR regulates the processing by an individual, company or organisation of personal data relating to individuals in the EU. However, this does not mean that it only impacts data controllers and data processors based in the EU; rather, the GDPR will also apply to data controllers and data processors located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. In sum, the GDPR applies to all data controllers and data processors – regardless of location – that process and hold the personal data of data subjects residing in the EU.
The GDPR also regulates the transfer of personal data to third countries outside of the EU or to international organisations. This affects, for instance, anyone doing business with an EU-based company. As set out in Chapter V of the GDPR, such data transfers may only take place if the European Commission has decided that the third country or international organisation ensures an adequate level of protection; the transfer is subject to appropriate safeguards; or the transfer is subject to approved binding corporate rules of a group of undertakings or enterprises. The GDPR does also permit certain specified derogations from the general prohibition on transfers of personal data outside of the EU, such as where the transfer is made with the data subject’s informed consent or where it is necessary for important reasons of public interest.
The GDPR imposes significant penalties for non-compliance with its provisions.
Advising on cross-border data transfers
GDPR COMPLIANCE
What you need to know
Different organisations will have different approaches to ensuring compliance. Some of the key questions to consider include:
- Does the GDPR apply to you? Even if it does not, organisations may nevertheless want to adopt some of the key principles as a matter of good practice.
- Are the necessary people in your organisation aware of the GDPR and its implications? Whilst it is always helpful to have buy-in at the top levels of management, compliance is required throughout the organisation.
- Are you formally required to designate a data protection officer (DPO)? This will depend on the nature of your organisation’s core activities or scale. If you are required to designate a DPO, the person should have the knowledge, support and authority to carry out the role effectively.
- What personal data do you collect, store and share? Conduct a thorough information audit, and ensure that records of processing activities are maintained.
- Are your privacy policies and notices up to date? Whether this requires drafting from scratch or updating existing policies and notices, special care should be taken to ensure that the new obligations imposed by the GDPR are included.
- Do you have a lawful basis for processing personal data? Identify the lawful basis for each processing activity, document it, and update your privacy notice to explain it.
- Do you rely on consent clauses for the processing of personal data? If so, such consent should be freely given, specific, informed and unambiguous.
- Do your procedures cover all the rights that data subjects have under the GDPR? This includes, for instance, the right to be informed, the right of access, the right to rectification and erasure, and the right to data portability.
- Do you have appropriate data security safeguards and procedures in place to detect, report and investigate a personal data breach? It is also important to know under what circumstances you are required to notify the regulator and/or data subject of a breach.
- Do you carry out cross-border data transfers? Organisations should map such data transfers, and carefully assess whether the requirements of the GDPR and any other regulatory framework relevant to such transfers are met.
Training key personnel on the GDPR
OUR GDPR SERVICES
Helping you become GDPR compliant
ALT Advisory offers the following GDPR compliance services:
- Compliance audits: We conduct a review of your compliance with the GDPR, identify areas of concern or risk, and propose next steps to remedy this.
- Privacy policies, notices and consent clauses: We assist with drafting and/or updating privacy policies, notices and consent clauses to meet the requirements of the GDPR.
- Cross-border data transfers: We map your cross-border data transfers and identify the applicable regulatory frameworks that require compliance. We also assist with drafting binding corporate rules.
- Advisory services: Have a question or want to know how a particular provision of the GDPR affects your organisation? We can assist with guidance and comparative research to resolve your concern.
- GDPR training: We offer in-person and online training that is tailored to suit the specific needs of your organisation. This includes train-the-trainer sessions, training for key personnel, or workshops for larger groups.
It’s never too early or too late to start the process. For more information about how we can assist you with the GDPR or other data protection frameworks, please get in touch.