In 2016 the EU adopted the General Data Protection Regulation (GDPR) replacing the 1995 Data protection Directive. The European Commission has said that 90% of European say they want the same data protection across the EU, regardless of where their data is processed. The reform of EU data protection rules mean people have more control over their personal data and businesses benefit from a level of playing field.
These changes which came into effect in May 2018, reflect an increased focus by the European Commission on data protection. The GDPR mean one set of rules for all companies operating in EU, wherever they are based. The following steps outline some of the key areas you should consider to help you prepare for the road ahead.
The GDPR introduces a new obligation to conduct a Data Protection Impact Assessment (DPIA) before carrying out new processing activities. The DPIA is a key element of the new focus on accountability and data privacy by design and default. It helps businesses to identify and address the data protection risks of any new processing activities undertaken.
Should you carry out DPIAs?
A DPIA is required if processing is likely to result in a high risk to individuals' rights and freedoms. A DPIA is not required for every process. KPMG help businesses to assess if a DPIA is required.
KPMG offers deep expertise and support to businesses through the process of completing DPIAs, and assessing the effectiveness of privacy controls.
Without data privacy training, there is a risk that employees may not handle personal data in line with the regulations. Employees must be prepared, fully equipped and aware of data protection practices within your business.
How can you prepare your employees?
KPMG offer training and awareness to enable employees to become familiar with Data Protection Laws and create a culture of data protection within the everyday business environment. We provide executive briefings on data protection, classroom-based training and on line training. Our teams have experience in cultural change and transformation and can help make data protection a high priority issue in your organisation.
Your local Data Protection Authority monitors compliance; Their work is coordinated at the EU level. Infringements of the GDPR can lead to fines of different levels depending on which provisions are infringed.
At the lower level this can be up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Or at the higher level up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher.
These changes aim to provide all EU Citizens with more control over their data and protection from privacy and data breaches. The European Commission has said the regulation is an essential step to strengthen individual’s fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market.