Definition: The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. GDPR applies to all companies processing Personal Identifiable Information (PII) of citizens residing in the EU, regardless of the company’s location. It sets out seven key principles which should lie at the heart of your approach to processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
“Now that the GDPR has been adopted, the shape of the EU’s future data protection framework is clear and preparations for implementing the new Regulation have begun.”
David Smith, special adviser to Allen & Overy.
Source: The EU General Data Protection Regulation – Allen & Overy, 2017
Organisations will now have to comply with much stricter guidelines around data management and policy. All EU citizens will now have the right to:
- Be notified of any data breaches.
- Access any PII held by organisations.
- Be forgotten.
- Obtain and reuse PII for their own purposes.
All EU organisations must demonstrate compliance by storing, managing, destroying and auditing PII appropriately.
The new GDPR legislation was introduced on 25th May 2018. Non-compliance will now incur heavy fines. These financial penalties can be up to 4% of your annual global turnover, or €20 Million – whichever is greater (although there is a lower tier for lesser breaches of 2% or €10 million).
Apogee FTE can work with your organisation to understand your current situation and help develop a bespoke strategy and plan of action to work towards GDPR compliance to avoid heavy penalties that will be imposed.