The General Data Protection Regulation (GDPR) is a European regulation that came into force on 25 May 2018. As it is a regulation, it applies in all the member states of the European Union with no need for transposition into domestic law.
The GDPR is a collection of rules aimed at protecting the personal data of natural persons within the EU. It may be considered to be the most stringent data protection regulation in the world. Its application has led to the harmonisation of rights and freedoms in respect of personal data protection across the European Union.
The GDPR gives the term “personal data” a very extensive meaning, in that it includes all identified or identifiable data about a natural person:
All public or private entities, insofar as they process sensitive personal data, regardless of their size, country of establishment or type of activity.
Indeed, the regulation applies to all bodies based in the European Union that process personal data, even if the personal data relate to individuals located outside the EU.
What is more, non-European organisations with activities targeted to European customers are also subject to the GDPR.
Note also that the GDPR applies equally to subcontractors that collect and process personal data on behalf of other organisations.
A French winemaker selling all its production to North American customers in America must comply with the GDPR.
Similarly, an e-commerce company based in Turkey that sells Chinese-manufactured products in Germany from its German-language website must also comply with the GDPR.
Non-compliance with the General Data Protection Regulation can result in penalties up to €20 million or 4% of the total annual turnover of a company, whichever is greater.
IMPORTANT: while “large penalties” get the most publicity, that does not mean only large organisations are concerned. Indeed, most of the penalties under the GDPR (link in English) are smaller and applied against smaller organisations such as SMEs, local government agencies or e-commerce websites.
As the United Kingdom left the European Union on 1 January 2021, it is technically no longer governed by the rules applicable in the EU. However, their data protection and privacy rules are, to date, identical to those under the European GDPR. The United Kingdom has its UK GDPR (General Data Protection Regulation), which is equivalent to the European GDPR.
Nevertheless, the situation may change in coming years. We will keep you informed of any changes in the legislation governing the protection of personal data.
Our partner will support you in your efforts to comply with the General Data Protection Regulation and the legal particularities of each member state of the European Union, in all your activities, departments and processes, whether these are already in existence or still under development. Our GDPR services and advice branch covers a number of aspects that all equally important to help you on the way to compliance with the Regulation.
Our partner can carry out a GDPR compliance audit for you. The audit is aimed at assessing the degree of compliance and maturity of your company in respect of the GDPR and can relate to different levels within your organisation:
The audit report will then make it possible to recommend action to achieve the level of maturity required and secure compliance in the eyes of the supervisory authorities.
You want to comply with the GDPR but do not know where to start or the measures you need to put in place? Our partner can offer you tailored support for compliance with the General Data Protection Regulation. Such support may include:
The GDPR makes it necessary for the data controller to put in place the measures and resources required for making sure that only the necessary personal data are processed, both when it determines the processing resources to use and also when the processing takes place.
To that end, the measures for protecting personal data must be identified when a project, service or product is designed (Privacy by Design).
Our partner will support you in the implementation of principles for protecting personal data by design and by default, whether that is for your entire organisation or for a specific project, by creating and applying a Privacy by Design programme.
The different parties affected by the GDPR will thus receive assistance in the integration of principles for protecting data at every stage of the development of products and services.
Article 35 of the GDPR makes it mandatory for the controller to carry out a data protection impact analysis (DPIA) when processing creates a high risk for the rights and freedoms of the data subjects, such as:
With its expertise in data protection and experience of analysing information security risks, our partner will provide you with valuable help to create your own DPIA.
Our partner provides a series of training courses in the core subject of data protection. Its offer includes:
ASD Group works with a special partner and a multidisciplinary team of experts specialised in data protection and information security.
That will secure for your organisation:
By using the services of our partner, you will benefit from:
Compliance with the Regulation is not easy, and employing a specialised outside consultant will ensure that you benefit from the knowledge of a competent individual dedicated to the compliance of organisations.
Our partner also offers Data Protection Officer (DPO) services. Using their services will enable you to centralise the handling of your GDPR needs to comply with European legislation.