What is the GDPR and why should you read this?
On 25 May 2018, the most significant piece of European data protection legislation in 20 years will come into force when the European Union’s (EU) General Data Protection Regulation (GDPR) replaces the 1998 Data Protection Act (DPA). The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe. It also sets out higher standards for companies as to how they protect that information which they process or control.
Once the GDPR comes into effect, all companies processing and holding the personal data of subjects residing in the EU must comply with it, regardless of location. It is worth highlighting that Brexit will not affect the GDPR, and the UK will still be bound by this legislation once it leaves the European Union.
What are the key changes in the GDPR?
The GDPR includes several requirements that benefit data subjects, mandate increased control and transparency, and adds robust accountability requirements as well as significant fines for violations – up to 4% of global revenues or 20 million Euro, whichever is greater. Key differences in this data privacy regulation include stronger conditions for consent and obligations for data processors as well as data controllers, with obligatory contractual terms between the two. The GDPR also requires organisations to include data protection in the initial design of systems, a concept known as ‘privacy by design’.
How will this affect you and what do you need to do?
The GDPR will fundamentally change how you can process and handle your clients’ data, so it should be a priority in all of your processes going forward. In summary, you will need to:
- Make sure you know what the GDPR is and how it will affect your business.
- Have the correct security and controls in place to ensure your clients’ data is safe at all times.
- Be transparent and open to your clients about what data you are using, how and why you are using it, who can access it and for how long.
- Be able to demonstrate that you have relevant policies in place to back this up.
You will typically act as the data controller for any personal data you provide to any third party systems like Genovo. As the data controller, you determine the purposes and means of processing any personal data, whilst Genovo (the data processor) processes data on your behalf.
As a data controller you are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. It is essential you know where and how your clients’ data is being stored and who has access to it. If you use any third-party systems like Genovo to hold, collect or process data, you will need to establish if their security controls, accessibility policies and the location of their servers satisfy your GDPR requirements. Our “Genovo – How we’re preparing to be GDPR ready” document can help you with this.
We understand that preparing for this regulatory change is a priority for all of our customers. It is a priority for us too.
So what is Genovo doing to help its customers?
At Genovo, we are committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts. We already take the security, privacy and protection of data very seriously. When you use the Genovo application you provide information on your clients which needs to stay private and confidential. This is why we have taken firm, proactive steps to ensure the information that we process for you is kept safe, secure and locked away.
We encrypt all yours and your clients’ personal information using state of the art encryption algorithms to protect against a breach to your clients’ or your personal data held within the Genovo application.
Everyone on the Genovo team has entered into a ‘duty of confidence’ meaning they are committed to keeping all personal data safe and secure. Always.
Whilst ultimate responsibility for your compliance with the GDPR lies with you, we can help you get into the best position to be ready for the regulation. We can also provide you with any information you may need to present to your clients and the regulator to satisfy the requirements of the new regulation.
How can you be sure Genovo will be ready?
Put simply, we will be GDPR ready by 25 May 2018, if not significantly sooner. Many aspects are already in place due to our ongoing DPA compliance and evolving security measures; and we have been working on enhancements to our product, contracts and documentation to help support compliance with the GDPR for ourselves and our customers for a little while now.
Clarification on the finer GDPR detail is still evolving via the Information Commissioner’s Office (the UK governing body for data protection). We are actively monitoring regulator guidance and interpretations of key GDPR requirements to inform our efforts, and we will continue to make any changes to our policies and procedures as deemed necessary.
If you would like to find out more about what we are doing to ensure Genovo is GDPR ready, please send an email to our GDPR team at firstname.lastname@example.org requesting a copy of our “Genovo – How we’re preparing to be GDPR ready” document.
Last updated: 24 January 2018