Ever since its conception, GDPR has caused a strong stir in the legal and compliance world. The new law builds on the previous data protection legislation but at the same time provides more resilient protections for consumers, and more privacy considerations for organisations involved in the processing of personal data. The new EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be applicable starting on May 25, 2018. GDPR comes with significant changes compared to the Data Protection Directive 95\/46\/EC involving operational changes in organisations.<\/p>\n
To say that GDPR is an extension of the previous law will also not be true. It is an add on but a game changer as well in the field of legal and compliance. It has been dubbed as the most important change in data privacy laws in 20 years, leaving the compliance world in a bit of an abyss due to it ever evolving nuance and uncertain nature of applicability. Each country needs to have their own Data protection (outside EU) as stringent and controlled as the EU\u2019s GDPR.<\/p>\n
Personal data<\/strong><\/p>\n So, what exactly does GDPR apply to? GDPR applies to personal data and personal sensitive data. If you are offering goods or services to EU citizens inside or outside the EU GDPR will apply. However, the GDPR\u2019s definition is more detailed and makes it clear that information such as an online identifier, can include for e.g. an IP address which can amount to \u2018personal data\u2019. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.<\/p>\n For most of the organisations, keeping HR records, employment checks, customer lists, or contact details etc, the change to the definition should make little practical difference. So one can assume that in case an individual or organisation hold information that falls within the scope of the Data Protection Act, it will also fall within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA\u2019s definition and could include chronologically ordered sets of manual records containing personal data.<\/p>\n Sensitive personal data<\/strong><\/p>\n It is important to note that the GDPR refers to sensitive personal data as \u201cspecial categories of personal data\u201d as stated in Article 9. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. All kinds of background screening and due diligence fall under it.<\/p>\n Controller and Processor<\/strong><\/p>\n Another main guide to get ready for GDPR includes first determining whether your organisation processes personal data as a \u201cdata controller\u201d or \u201cdata processor\u201d The GDPR applies to \u2018controllers\u2019 and \u2018processors\u2019(Article 19-23). A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. Incase of a processor, the GDPR places specific legal obligations on you as a processor for example, the requirement to maintain records of personal data and processing activities. There is the result of bearing the onus legal liability if processor is found responsible for a breach.<\/p>\n However, controllers are not relieved of their obligations where a processor is involved as the GDPR places further obligations on controllers to ensure its contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.<\/p>\n Consent<\/strong><\/p>\n In furtherance of understanding GDPR it is important to know the requirement of Consent under the GDPR (Article 32) must be a freely given, specific, informed and unambiguous indication of the individual\u2019s wishes. There must be some form of clear affirmative action \u2013 or in other words, a positive opt-in consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must be verifiable, and individuals generally have more rights where you as a person or organisation rely on consent to process their data.<\/p>\n For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the \u201cconditions for processing\u201d under the DPA.It is important that you determine your lawful basis for processing personal data and document this.<\/p>\n Data protection officer<\/strong><\/p>\n This becomes more of an issue under the GDPR because your lawful basis for processing influences individuals\u2019 rights. For example, if you rely on someone\u2019s consent to process their data, they will generally have stronger rights, for example to have their data deleted. Data protection officer (DPO) is the person responsible for GDPR compliance. As per article 35 the DPO will be required by an organisation to be hired depending on the size and processing of large volume of special category of data by an organisation. This person will operate independently of the organisation. The principles of accountability and transparency have previously been implicit requirements of data protection law, however the GDPR\u2019s emphasis elevates their significance.<\/p>\n Ultimately, the aim of these measures should be to minimise the risk of breaches and uphold the protection of personal data. The background investigation companies such as CRI Group offering various screening services and conducting fraud examinations, pre- as well as post-employment screening<\/a> through \u201cEmploySmart\u201d, \u201c3PRM\u201d due diligence investigation<\/a> services and third-party checks will need to incorporate GDPR in their system for adequate accountability, transparency and governance in the organisation.<\/p>\n Who is CRI Group?<\/strong><\/p>\n Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management<\/a>, Employee Background Screening<\/a>, In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC\u00ae) Center of Excellence<\/a> – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems<\/a>, ISO 37301 Compliance Management Systems<\/a> and ISO 31000:2018 Risk Management<\/a>, providing training<\/a> and certification<\/a>. ABAC\u00ae operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work\u00a0as a discreet white-labelled supplier to some of the world\u2019s largest organisations.\u00a0Contact\u00a0ABAC\u00ae for more<\/a> on ISO Certification and training.<\/p>","protected":false},"excerpt":{"rendered":" Ever since its conception, GDPR has caused a strong stir in the legal and compliance world. The new law builds on the previous data protection legislation but at the same time provides more resilient protections for consumers, and more privacy considerations for organisations involved in the processing of personal data. The new EU General Data […]<\/p>","protected":false},"author":1,"featured_media":21386,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,146],"tags":[],"class_list":["post-1564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance-solution","category-resources"],"gutentor_comment":0,"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\n\t\n