What is the GDPR and why should you read this?
On 25 May 2018, the most significant piece of European data protection legislation in 20 years came into force when the European Union’s (EU) General Data Protection Regulation (GDPR) replaced the 1998 Data Protection Act (DPA). The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe. It also sets out higher standards for companies as to how they protect that information which they process or control.
Now the GDPR has come into effect, all companies processing and holding the personal data of subjects residing in the EU must comply with it, regardless of location. It is worth highlighting that Brexit will not affect the GDPR, and the UK will still be bound by this legislation once it leaves the European Union.
What are the key changes in the GDPR?
The GDPR includes several requirements that benefit data subjects, mandate increased control and transparency, and adds robust accountability requirements as well as significant fines for violations – up to 4% of global revenues or 20 million Euro, whichever is greater. Key differences in this data privacy regulation include stronger conditions for consent and obligations for data processors as well as data controllers, with obligatory contractual terms between the two. The GDPR also requires organisations to include data protection in the initial design of systems, a concept known as ‘privacy by design’.
How will this affect you and what do you need to do?
The GDPR is now law and fundamentally changes how you can process and handle your clients’ data, so if you haven’t made changes already it should be a top priority for your business. In summary, you will need to:
- Make sure you know what the GDPR is and how it affects your business.
- Have the correct security and controls in place to ensure your clients’ data is safe at all times.
- Be transparent and open to your clients about what data you are using, how and why you are using it, can access it and for how long.
- Be able to demonstrate that you have relevant policies in place to back this up.
You will typically act as the data controller for any personal data you provide to any third party systems like Genovo. As the data controller, you determine the purposes and means of processing any personal data, whilst Genovo (the data processor) processes data on your behalf.
As a data controller you are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. It is essential you know where and how your clients’ data is being stored and who has access to it. If you use any third-party systems like Genovo to hold, collect or process data, you will need to establish if their security controls, accessibility policies and the location of their servers satisfy your GDPR requirements. Our “Genovo – What we’ve done to be GDPR ready” document can help you with this.
So what is Genovo doing to help its customers?
At Genovo, we are committed to helping our customers with their ongoing data protection journey by providing robust privacy and security protections built into our services and contracts. We already take the security, privacy and protection of data very seriously. When you use the Genovo application you provide information on your clients which needs to stay private and confidential. This is why we take firm, proactive steps to ensure the information that we process for you is kept safe, secure and locked away.
We encrypt all yours and your clients’ personal information using state of the art encryption algorithms to protect against a breach to your clients’ or your personal data held within the Genovo application.
Everyone on the Genovo team has entered into a confidentiality agreement, meaning they are committed to keeping all personal data safe and secure. Always.
How can you be sure Genovo is ready?
Put simply, we were ready for the GDPR significantly sooner than the May deadline. Many aspects were already in place due to our ongoing Data Protection Act compliance and evolving security measures; and we were working on enhancements to our product, contracts and documentation to help support compliance with the GDPR for ourselves and our customers for a long time.
However, clarification on the finer GDPR detail is still evolving via the Information Commissioner’s Office (the UK governing body for data protection). We are actively monitoring regulator guidance and interpretations of key GDPR requirements to inform our efforts, and we will continue to make any changes to our policies and procedures as deemed necessary.
If you would like to find out more about what we have done to ensure Genovo was GDPR ready and stays up to date with regulations, please send an email to our GDPR team at [email protected] requesting a copy of our “Genovo – What we’ve done to be GDPR ready” document.
Last updated: 29 May 2018