There really is no excuse for not knowing about GDPR. Like children playing hide and seek, it’s coming, ready or not, on 25 May 2018.
This practical guidance paper focuses on the immediate imperatives for chief audit executives (CAEs). Depending on when this is being read, there will either be days to go or the regulation is in force, either way, the time for talking has passed and it is time to act. Procrastination is not an option.
The EU’s General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 (which implemented the 1995 EU Data Protection Directive). Information regarding the regulation and compliance is available on the Information Commissioner’s Office website. Parliament will enshrine GDPR in a new Data Protection Act as part of the Brexit transition.
Change is necessary because of how personal data is now used in the digital era. People and organisations share, collect and utilise data in ways (Cloud, Facebook, Twitter) that were not known when the outgoing rules were created. The Cambridge Analytica/Facebook furore over the use of open data was a timely example of how the pace of technology capabilities can make governance obsolete.
GDPR introduces the concept of two key data roles:
- Data controller – states how and why personal data is processed
- Data processor – party doing the actual processing of data
Controllers are accountable for their data; they must ensure that processors are compliant.
GDPR applies to the data belonging to EU residents; the role of controller or processor is not limited by geography. The location of a processor is irrelevant given GDPR global reach.
Data misuse/breaches can lead to fines of up to €20 million or 4% of global turnover whichever is highest. The ICO itself has reminded businesses that fines are a last resort, of…
"You cannot escape the responsibility of tomorrow by evading it today"
- Abraham Lincoln