A new EU regulation will soon come into effect which will impact how all organisations collect and process people’s personal data. The General Data Protection Regulation, most commonly known as GDPR, will become a legal requirement of all organisations on 25th May 2018.
As we approach May 2018, we will continue to focus on our own GDPR compliance efforts while also trying to educate and inform as many business leaders as possible. During our implementation period for this Regulation, we are evaluating the new requirements and restrictions imposed by the GDPR and will take any necessary and appropriate action to ensure that we handle personal data in compliance with applicable law by the 2018 deadline.
We utilise many industry standard information systems including secure third-party cloud based solutions and restrict access to customer data by our employees and agents. IoD.com is encrypted for extra safety against situations where an exchange of personal data may take place. As an organisation, we will seek to continually ensure we only hold personal details of our members that are necessary for the lawful processing activities associated with the delivery of our products and services. With an established legal basis for such processing, we anticipate a smooth transition for when GDPR arrives and takes full effect.
Updated terms of business based on changes that we’ve implemented will be rolled out in early 2018. This will be communicated to all IoD members, staff, customers, suppliers and published on IoD.com for future reference.
If you have any concerns or questions regarding the IoD’s position on GDPR please get in touch with us via email at: GDPR@iod.com.
IoD Data Protection Officer
Frequently Asked Questions
What is GDPR?
In May 2018, the General Data Protection Regulation (GDPR), introduced by the European Union, will come into effect.
The General Data Protection Regulation (GDPR) is the result of 4 years of work by EU member states to address new and emerging data threats. As compared with the Data Protection Act, it introduces harsher fines for companies which aren’t compliant and gives consumers greater control over the ways their personal data is being used. These regulatory changes will help bring consistency throughout the EU and worldwide for organisations seeking to do business with EU Citizens.
What are the penalties for non-compliance?
It’s important to understand that the penalties for non-compliance with the provisions of GDPR are substantial. Regulators can impose administrative fines up to 2% of annual revenue or €10 million, whichever is higher, for non-compliance with “technical measures” (like impact assessments and breach notifications). Those fines increase to the greater of €20 million or 4% of global annual turnover for non-compliance with “key provisions” of the GDPR.
What impact will Brexit have on GDPR?
Brexit has no effect on the need for UK businesses to be compliant with GDPR. In September this year, the UK Government published the draft Data Protection Bill 2017 which brings GDPR into full affect within UK law and alters some key parts such as the age of minors. There are no material changes or exclusions from the full EU version, so companies can begin to prepare and implement structures, ensuring they are GDPR compliant by May 2018.
Is the IoD GDPR compliant?
Although GDPR went into effect in May 2016, EU businesses (including those in the UK) have until 25 May 2018 to be compliant. We aim to be compliant with the key principles of the Regulation by May 2018 with what is widely regarded to be “Privacy by Default” and it is our intention to be compliant with all aspects shortly after by adopting an organisational mantra of “Privacy by Design”.
What is the IoD doing to achieve compliance?
It’s a time consuming and complex process to achieve full GDPR compliance. In brief, to protect the personal information of our members, customers, and staff we are taking the steps necessary to ensure compliance, including the following key principles:
- Perform a compliance audit: it’s important to understand the legal framework of GDPR and to audit our current IT practices as they relate to that framework. We have already appointed a data protection officer (who has a legal background) to help us understand the new regulations and create a compliance plan to be completed prior to the May 2018 deadline.
- Create a data register: if a breach occurs during the early stages of implementation, we will need to demonstrate the steps we’ve taken to achieve compliance. The best way to do that is by maintaining a careful record of those steps in the form of a data register setting out what we collect, how we store it, use and share such data as well as how we protect it and identify risks associated with using the data. Think of this as a GDPR Data Playbook.
- Complete privacy impact and data protection impact assessments: this step involves evaluating the way personal data is produced and protected. We will be challenging why each piece of data is being collected and whether it’s necessary for our business. We will also assess our current security policies and data protection strategies (for example, are we protecting data through encryptions or tokenisation?) as they relate to the rights of our users and the provisions of the GDPR.
- Revise and repeat the process: We can’t assume that our first pass will identify all potential security threats to protect our use of personal information. For that reason, it’s important that we repeat the process to identify and revise anything we missed during the first stage of implementation. This will be a key tenet in our transition from ‘Privacy by Default’ to ‘Privacy by Design’.