GDPR – General Data Protection Regulation
What is GDPR?
GDPR (General Data Protection Regulation) also know as ‘EU 2016/679’ is an update to the current GDPR regulation which is now somewhat outdated. The existing directive came into effect in 1995 and was labelled 95/46/EC.
- It is quite simply a regulation enforced by the European Parliament on EU (European Union) member states for the handling of data, it also applies to those who process individuals data who are based within the EU.
- The new ‘EU 2016/679’ regulation was first published in the EU Official Journal on 4th May 2016, and 20 days later it entered into force. The applicable date whereby the regulation takes over its predecessor is 25th May 2018.
- Due to GDPR being a “Regulation” and not a directive, provisions are directly applicable in EU member states and they will not need to translate it into their own laws.
- This regulation has gone through four years of preparation and debate before it was finally approved by the European Parliament.
- Organisations who have not adopted the new GDPR or are still in a non-compliant state will face heavy fines.
- Due to its ‘extra-territorial scope’, this means all jurisdictions have to understand, and comply with, GDPR if they wish to do business with EU Member states. These territories will need to become GDPR equivalent.
Looking for our GDPR training & consultancy services?
Please head over to our services section below.
What are its objectives?
The GDPR’s primary objectives are
- Give EU Citizens back control of their personal data
- Simplify the regulatory environment for international business by unifying it
To achieve this, the new regulation has to heavily account for “the internet” and the way we use handheld devices – as back when 95/46/EC was written the internet was in its infancy.
The regulation does not apply for B2B – it is for the individual.
Who will GDPR apply to?
The definitive list is quite simple:
- Controllers or processors established in the EU
- Controllers or processors not established in the EU but offering goods or services to clients within the EU
- Any businesses wishing to do business with a ‘data subject’ (individual) who is based in the EU
Guernsey’s approach to GDPR
Falling under the “extra-territorial scope” Guernsey does need to act to ensure we are able to continue working with EU businesses & individuals. To achieve this, the States of Guernsey (SoG) are currently finalising their own equivalent version of the GDPR, The Data Protection (Bailiwick of Guernsey) Law 2017. Jersey are also following the same course of action.
Achieving equivalence is important as otherwise the islands face being black listed by the EU. So this proactive approach by the SoG is welcomed. The islands have had a high level of engagement with the EU in order to ensure our approved status remains unchanged.
It will be heavily based on the EU version and therefore until a final version is released, it would be good practice to align your business procedures to the EU GDPR.