Small to Medium Size Business Environment:

Like many other business owners everyone is working hard to keep their business running, however, we all have certain regulations that we must comply with and the new "GDPR" General Data Protection Regulations - are no different.

What is GDPR (General Data Protection Regulations)?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA.

Data Protection law changed on 25 May 2018 and organisations need to comply with the General Data Protection Regulation (GDPR). The EU General Data Protection Regulation (GDPR) has attracted media and business interest because of the increased administrative fines from 2019 for non-compliance. Not all infringements of the GDPR will lead to serious fines.

Besides the power to impose fines, the Information Commissioner’s Office (ICO) has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries. The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”. There are two tiers of administrative fines that can be levied:

  • 1) Up to €10 million, or 2% annual global turnover – whichever is higher.
  • 2) Up to €20 million, or 4% annual global turnover – whichever is higher.

The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.

Who does it Affect?

The regulation must be followed by every organisation that processes personal data of European Union citizens.

The GDPR considers ‘processing’ as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The GDPR considers ‘personal data’ as any information that could be used, on its own or in conjunction with other data, to identify an individual.

What it Means

It means that any organisation – whether a private business or public authority – that collects, stores, or shares ‘identifying’ data on European citizens will need to comply with the GDPR 2018.

It doesn’t matter whether that organisation is located in the EU or not, if the data processing itself takes place outside of EU, or if it is conducted by third parties. If you’re responsible for the processing of data of EU citizens you need to comply.

Don't know where to start?

Hazard 360 Ltd can assist you in becoming compliant at very economical rates.

Authored By:

Alan Smith CPP,PSP, Fsyl