The New EU General Data Protection Regulation
What is it?
The EU parliament has ratified the new legislation in an attempt to strengthen and unify data protection for individuals within the EU. It also addresses export of data outside the EU. The primary objectives of this legislation are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
What is the Scope?
Worldwide, every entity that processes EU Citizens related data.
Should UK companies seek to become compliant despite BREXIT?
Yes. Because BREXIT is a long process, and EU legislations would still be applicable even after triggering article 50 of the Lisbon treaty. Based on the current exit schedule and assuming there are no delays, the UK would be leaving the EU around April 2019, the new EU Data Protection Legislation compliance ultimatum is May 25th 2018. Therefore UK companies should cater for this year between the ultimatum and the complete exit.
Besides, most UK companies will still be processing EU Citizens data, and therefore they should be compliant irrespective of the BREXIT.
What does “process data” mean?
Processing, in relation to information or data, means obtaining, recording or holding/storing the information or data or carrying out any operation or set of operations on the information or data, including but not limited to:
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data.
What are the sanctions for non-compliance?
Sanctions vary on a case-by-case basis depending on different factors. Penalties can reach up to EUR20,000,000 or 4% of the organisation’s worldwide turnover, whichever is greater.
By what date organisations should become 100% compliant?
As mentioned earlier, the ultimatum is May 25th 2018. Any organisation that is found non-compliant after that date will eventually be penalised.
Do I have to become compliant even if I am a small organisation or enterprise?
Yes, exemption is not corelated to your business size. If your organisation or any entity related to you is processing EU Citizens data, as little as keeping an email address, you should seek professional help in order to achieve compliance before the deadline.
Would it be sufficient to achieve ISO27001 or COBIT 5 compliance?
No, the new EU Data Protection legislation has a specific new set of requirements and policies. If you are already ISO27001 compliant this would be very helpful, as the ISO Standard touches on data privacy. But it is not sufficient to cover the new legislation requirements. Achieving ISO27001 and the new EU Data Protection compliance would put your organisation on a competitive edge and makes it gain a differentiating advantage.
How long it takes my business to become compliant?
Becoming compliant relies on a number of factors, and we cannot give a one-size-fits-all kind of estimate. Normally we have to assess your business in order to give you an idea about how long it takes to become compliant. It is always important that you start your project early enough in order to guarantee certification well before the compliance ultimatum.
Please do get in touch and our consultants would be pleased to answer all your questions.
How much does it cost to become compliant?
Every business has specific requirements and ballpark figures are not possible without proper assessment. Please do get in touch, our consultants would be pleased to attend to all your queries and provide you with a detailed quotation.
What should I do next?
Call London Consulting Ltd. on +44 3333 44 333 7 now! Alternatively you can use our Contact Us form to send your query.