What is GDPR?
The EU General Data Protection Regulation (GDPR) is the largest development to data protection legislation since the European Data Protection Directive in 1995. On 25 May 2018 GDPR comes in to force, revolutionising the way in which personal data is used and handled and imposing greater regulatory control over the data.
The new regulation shifts the focus from organisational responsibilities to the rights of individuals. Most importantly, substantial penalties for non-compliance (potentially up to 4% of worldwide revenues for non-compliance).
Organisations need to take effort to become compliant before 25 May 2018 and doing nothing is not an option. With the deadline fast approaching, there are still actions you can take now to ensure you comply.
What does it mean for your organisation?
If you are an organisation processing personal data in Europe; or you are targeting Europe for goods and services; or you are monitoring the activities of European citizens online, you will need to comply with GDPR. GDPR applies to organisations anywhere in the world that hold or use the personal data of anyone in an EU member state.
Despite the measures required to be more compliant, the introduction of GDPR will also provide an opportunity for organisations to:
- transform their approach to privacy
- harness the value of their data, and
- ensure the organisation is fit for the digital economy
Key points to note
- Individuals – customers, clients and workers will have more control over their personal data
- Transparency – how organisations use data will be more transparent. GDPR sets out a number of principles with which data controllers much comply when processing data
- Accountability – organisations will be subject to higher standards of accountability – there will be requirement for organisations to prove their compliance by way of keeping records of processing activities, providing individuals with notice of their right. In addition, any data passed onto third parties must be handled in a manner compliant with GDPR
- Consequences – GDPR introduces tougher enforcement regimes and exposes organisations to increased financial liabilities. Non-compliance can be as severe as the higher of 4% of annual turnover or 20 million euro
- Rights – data subjects’ rights have been strengthened – these rights aim to allow individuals to have control over their personal data and entitlement to sue for compensation if they suffer damage or distress by reason of non-compliance.
What should you be doing ahead of 25 May?
As an organisation you may be holding a vast amount of personal data about your international assignees. While some of this may in centralised HR systems that may already be part of a data privacy review, often global mobility teams have data held in assignment management systems and other vendors may also have their own systems and links into your technology platform. Knowing what data is being stored is critical, as well as where and how the data is hosted.
While the impact of the regulations are still being determined, it is clear that regulators will have a much greater focus on data breaches that carry the highest impact for individuals. Starting the journey to being data compliant now will involve understanding what data you hold, what data should be deleted and how you process that data and the potential impact it may have on an individual if their data privacy is breached.
PwC have a number of different services to assist with all parts of your GDPR journey.
Please get in touch with firstname.lastname@example.org or email@example.com if you would like to know more. We can answer your questions and help you think through which of our services may be suitable for your organisation.
You can access a lot of useful information about GDPR on PwC Suite. The Suite is a PwC run members-only platform housing a hand-picked selection of expert insight and resources to help you to do your job day to day, from HR and reward to policy, strategy and tax technical. To request free access please contact Jil Solanki on firstname.lastname@example.org