What is the General Data Protection Regulation (GDPR)?
On 14 April 2016, the General Data Protection Regulation (GDPR) entered into force. The GDPR has been applicable since 25 May 2018. The GDPR is a new European privacy law applicable to organisations processing the personal data of European citizens. This mainly involves protecting the personal information of European residents, but also regulating the dissemination of personal data outside the European Union.
The legislation is applicable if:
- the data controller (the organisation processing the data) has its home base in the EU, or
- the person to whom the data relates is an EU resident.
The law is not applicable if the data are processed by competent authorities for the purpose of promoting national security.
This regulation replaces the previous EU regulation from 1995, which no longer met today’s privacy requirements for our society.
What will change for your organisation?
The introduction of the GDPR involves several changes for your organisation. A number of important changes are the following:
- Strengthening and extending privacy rights: personal data relating to an individual are better protected by law. In addition, individuals from whom you collect and process data have the right to access their data.
For example: If you collect personal data such as email addresses, individuals from whom you have this data may request you to share it with them and delete it when asked to do so.
- more responsibilities for organisations: organisations may only collect and store personal data that is necessary for the implementation of the business processes. You must also take demonstrably effective measures to process and store personal data securely.
For example: If you are building applications, you need to take into account the data you need to collect during the design phase and ensure its safety and transparency. This is also referred to as “privacy by design”.
- The same robust powers for all European privacy regulators, such as the power to impose fines of up to €20 million.
For example: If you do not meet the requirements of the GDPR, the European privacy regulators have the power to impose fines of up to 20 million euros or 4% of annual turnover. This applies to both large and small organisations.
Non-compliance with the requirements of GDPR can lead to fines of up to €20 million or 4% of the annual turnover of companies. In the event of a single unintentional violation, a written warning may also be sent. Periodic audits can be carried out for this purpose.
The impact of the GDPR is different for each business. It is very important that your organisation complies with the new rules before the regulation enters into force in May 2018.
How can Brand Compliance help you?
Brand Compliance offers a total solution for visible compliance with the GDPR: From the certification standard, training, baseline measurement to the actual certification as proof of your GDPR compliance.
- Certification standard: a practical framework for implementing the requirements of the GDPR
- Training: you learn everything about the content of the GDPR and the application of the certification standard for your organisation in one day.
- Baseline measurement: our auditors examine where your organisation stands with regard to GDPR. After one day at your location, you will receive a report with opportunities for improvement.
- Certification: assessing whether your processes have been set up to meet the requirements of the regulation.