XMedius GDPR Hub
General Data Protection Regulation Information
XMedius GDPR Hub provides a resource with information about the EU’s General Data Protection Regulation. Learn about what GDPR is, when it will take effect, its importance, compliance with the regulation and who will be affected by it.
The General Data Protection Regulation (GDPR) is a strategic business challenge that requires leadership, responsibility, risk assessment, and a solid plan for handling personal data for all organizations. Our solutions are already playing a crucial role in enabling GDPR compliance for many of our customers, yet as of May 25th, 2018, companies who don’t take action risk non-compliance that can lead to heavy fines and loss of reputation.
We believe that achieving GDPR compliance starts with awareness. Not just at the management level, because personal data protection is everyone’s business. We’ve compiled a resources section aimed at helping you develop a better understanding of what GDPR encompasses and how to start prioritizing and planning so that you can get compliant with the new regulation as soon as possible.
The General Data Protection Regulation is a data protection and privacy regulation within EU law that aims to give EU citizens control back over their personal data. It also simplifies the regulatory landscape of international business by consolidating regulations within the EU. GDPR replaces the 1995 Data Protection Directive, yet unlike a directive, does not require national governments within EU member states to pass any enabling legislation. This makes GDPR directly binding and applicable after coming into effect. GDPR also brings a new set of “digital rights” for EU citizens to reflect the value of personal data in today’s digital economy. The original legislation was enacted before the internet and cloud technology had created a new list of ways that personal data could be exploited, so the GDPR aims to address that. The GDPR is the EU’s way of strengthening data protection legislation and introducing more severe penalties for non-compliance as ways to increase trust in the rapidly growing digital economy. With the GDPR, the EU also wants to give businesses a more clear and straightforward legal environment in which to operate. By making data protection law identical throughout the market, the EU estimates that businesses will collectively save €2.3 billion per year.
GDPR was originally adopted on April 27th, 2016. After a 2-year transition period, it is enforceable as of May 25th, 2018. A lack of awareness seems to be a major challenge for most organizations – it’s estimated that 50% of businesses are unaware of the GDPR even though it will affect their business.
GDPR is important because it improves the protection of European citizen’s rights and clarifies what companies that process personal data must do in order to safeguard these rights. Companies are now forced to create highly transparent policies that detail the purpose for data collection, and exactly how personal data will be used. Any company in the world, as well as other bodies that process EU citizen’s personal data, is required to document the processing, ensure the lawfulness of processing, document the existence of sufficient procedures, provide information on security measures and ensure that sufficient data processing agreements are in place. Since the raises its own set of inherent data security risks, another reason that GDPR is so important is that it takes the challenges of the rapidly evolving digital world into account.
Perhaps one of the biggest reasons that GDPR has received so much media and business attention is due to the penalties for non-compliance. It’s important to note, however, that not all GDPR infringements will lead to severe fines.
In an effort to uphold information rights, the Information Commissioner’s Office (ICO) has a wide range of corrective sanctions to enforce the GDPR. These include:
Imposing temporary or permanent bans on data processing
Suspending data transfers to certain countries
Ordering the rectification, restriction or erasure of data
Depending on which specific article of the regulation an organization has breached, they could be subject to administrative fines. The administrative fines are imposed on a case-by-case basis and must be must be “effective, proportionate and dissuasive”.
There are 2 tiers of administrative fines that can be imposed:
1) Up to €10 million or 2% annual global revenue, whichever is higher.
2) Up to €20 million or 4% annual global revenue, whichever is higher.
Regulation infractions of an organization’s obligations, including data security breaches, are subject to the lower tier administrative fines. Infringements of a person’s data privacy rights, however, will be subject to the higher level of fines.
There are several things the ICO must take into account before imposing a fine and deciding which level compliance infringements fall under. These include:
- The nature, gravity and duration of the infringement;
- The intentional or negligent nature of the infringement;
- Actions taken by the organization to mitigate the lessen suffered by individuals;
- Technical and organizational measures that have been implemented by the organization;
- Any previous infringements by the organization or data processor;
- The degree of cooperation with the regulator to remedy the infringement;
- The types of personal data involved;
- Whether the organization reported the infringement, and to what extent
Do you have any questions about GDPR compliance, the implications for your business and the solutions we offer? Don’t hesitate to contact our team and we will be happy to answer you.