GDPR (General Data Protection Regulation)
Become GDPR Compliant with Pink Connect
GDPR GAP ANALYSIS
The General Data Protection Regulation (GDPR) comes into effect in the UK on the 25th May this year, unifying the law on Data Protection across Europe.
GDPR is new legislation to replace the UK Data Protection Act. It adds huge legal responsibility for the safe use of personal data directly onto your shoulders, ensuring the safety of personal data is taken seriously.
Pink Connect offer a GDPR Gap Analysis to aid organisations to gain a better understanding of their status to comply with the GDPR and help prioritise the steps needed to become compliant. Conducting the GDPR Gap Analysis will help organisations recognise how much time and resources are required, making the transition for compliance as seamless as possible.
The GDPR Gap Analysis will cover various areas of the regulation, these include:
- Subject Access Requests
- Obligations of Controllers
- Obligations of Processors
- Issuing a Data Protection Officer is applicable
- Breach Notifications
- Data Protection Impact Assessment
The GPDR Gap Analysis goes into depth on what is required for each criterion, making it incredibly easy to understand.
Below are the advantages of conducting the GDPR Gap Analysis:
- Identifying the status to comply.
- Identify any possible risks to personal data.
- A better understanding on how long implementation will take (bear in mind it’s an ongoing process).
- Allowing organisations to improve performance with personal data (giving a clear transparency of the life cycle of personal data kept within the organisation).
- Give organisations a better understanding of the entire process of the personal data.
To gain a better understanding of GDPR or answer any queries on the regulation, an FAQ can be seen below.
- What is GDPR?
It is the General Data Protection Regulation and it replaces both the Data Protection Act and the Data Protection Directive.
- When will GDPR become law?
GDPR was adopted by the EU Parliament in April 2016 and will become UK law on the 25th May 2018.
- Will GDPR remain after Brexit?
Britain will implement and maintain GDPR even after leaving the EU.
- Whose data will GDPR cover?
It will cover all personal data of any living person within the EU.
- What data does GDPR Cover?
GDPR will cover two types of data that will be affected by GDPR. The first is personal data, being any information that can identify a person. This includes the following:
- IP Address
- Location Identifier
- Email Address Photographs Bank Details
The other type of data is sensitive personal data, this includes:
- Race/Ethnic origin
- Health Biometric data
- Sexual Orientation
- How will GDPR change the way we capture data?
GDPR will require companies to show they have obtained consent from individuals to capture their personal data. It should be non-ambiguous to the individual and will need to have the following information: How long the data will be held for What the data will be used for Who else will have access to the data Additionally, individuals should have a choice on whether to give consent. It should also be as easy to withdraw consent as to give it.
- What is a SAR (Subject Access Request)?
A subject can request information regarding their personal data held by a company. Companies have one month to handle the request and report back. If the request is complex, an extra month can be given. Information that can be requested can include: What the information is needed for Who else has access to it Where the data was collected, if it was obtained from another source.
- What is "Right to be Forgotten"?
Individuals can request to have all their personal data erased from the company database and any third-party involved.
- How do you get consent for subjects 16 years and under?
When capturing personal data from an individual under the age of 16, parental consent is needed. Although, some countries may choose to have the minimum age set to 13.
- How long can personal data be retained?
GDPR does not specifically mention how long a company should retain personal data for. However, GDPR does state that personal data should not be retained longer than necessary.
- What happens if a Data breach occurs?
Once a breach occurs, companies will have 72 hours from when the breach was identified to report to the ICO (Information Commissioners Office). If personal data has been leaked, companies will be given the highest fine.
- What are the fines?
Depending on the articles violated, you can face one of two fines. The first fine is 2% of annual turnover or €10 million fine. The second and highest fine can be 4% annual turnover or a €20 million fine.
- What are Controllers and Processors?
The Controller: (an individual) determines the purpose of the personal data that will be processed and should demonstrate compliance with the regulation.
Processors: (a second individual) works on behalf of the Controller. If any breach occurs, the Processor must notify the Controller without delay.
- What about companies outside the EU capturing EU resident’s data?
All companies outside the EU still need to abide by GDPR when handling personal data from the EU. Companies that are not based within the EU and offer services or products within the EU will need a representative within the EU.
- What is a Data Protection Officer and will my company need one?
A Data Protection Officer is a person who oversees the protection of personal data and will ensure the company is compliant with the GDPR requirements. A Data Protection Officer will need to be appointed if the company is storing or processing a large amount of personal data.
- What Certifications will help with compliance of GDPR?
Certifications that can help with compliance of GDPR are; Cyber Essentials, PCI DSS and ISO 27001. Further compliance will still be required, however, without these, non-compliance is guaranteed.