As a professional in a market that exists to support people and their data you will no doubt be well aware that GDPR is now firmly on the horizon. This short acronym is a bit like an iceberg – it looks like you should be able to navigate safely around it but in truth you know there’s much, much more to it underneath and it could cause you lasting damage if you don’t approach it in the right way.
GDPR stands for General Data Protection Regulation and it comes into force in Europe on 25th May 2018. But with Brexit underway, do we really need to comply with this new law? The answer is emphatically yes, because we will still be in the EU when it comes into force and even after March 2019 the UK will have its own broadly similar legislation in place, so steps taken now to comply will not be a wasted effort.
There is no question that you will need to put new procedures in place. GDPR is a complex legal obligation and it’s important that steps are taken within every organisation to fully understand what action is required and how compliance can be achieved in a workable manner.
What information does GDPR apply to?
GDPR broadens the definition of personal data to encompass any data that can be used to identify an individual, such as genetic, biometric, mental, cultural, economic or social information. From May next year, hardly any personal data will not fall under GDPR, making it difficult to avoid having to comply with its requirements.
If you are the data controller, in possession of the personal and sensitive information, a useful starting point is to understand that GDPR requires data controllers to demonstrate their accountability for the data they look after; looking after it is not enough on its own anymore – you must be able to demonstrate you are complying with the new regulations by using only those data processors who are also able to demonstrate compliance with GDPR and proactively managing this relationship now will ensure that you are on course for compliance before the deadline arrives.