Overview of the GDPR
- The General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018 and has wide-reaching implications for businesses.
- Critically, fines under the GDPR will be significant – regulators may now fine companies up to EUR 20 million or 4% of global turnover for non-compliance.
- As a result, business data privacy compliance will raise issues similar to anti-corruption and antitrust compliance.
- The GDPR will apply to companies based both inside and outside of Europe, including:
- companies processing personal data in the context of an EU establishment
- companies offering goods or services to EU residents;
- companies that monitor the behaviour of EU residents; and
- companies providing services to the above.
- Data is increasingly central to business operations, and data is obtained from many sources. The changing nature of technology, in particular through the increased connectivity of the internet of things, means that companies are collecting, processing and exploiting data in new and evolving ways. Complex supply chains also mean that data is increasingly being collected by one party, but being used by others without appropriate assurances about the collection procedure. If not properly managed, this data can be a critical liability.
GDPR Compliance Checklist
- This GDPR Compliance Checklist seeks to provide a high level overview of the key requirements of the GDPR.
- The table summarises the nature of the provision, highlights the most important actions which organisations should take to prepare for compliance and provides reference to the relevant Article in the GDPR. It also identifies the functions that will be affected by the changes in law and notes the stakeholders which will need to be involved in each set of actions.
- This table assumes a B2C environment and therefore a company obtaining, processing and storing quantities of consumer data.
- If your organisation has a B2B focus, while there may be certain areas where your obligations are slightly less onerous (and are less likely to require marketing and customer relations involvement), many of the requirements will remain applicable.