GDPR Support

GDPR is a new legislation being fully enforced in May 2018 and will replace the current Data Protection Act. The main objective of GDPR is to detail the current and newly enhanced, obligations and responsibilities organisations must follow in order to safeguard the data of EU citizens. Even B2B organisations, need to be treating their data. You now have less than a year to be fully compliant and put all the processes and system changes in place to ensure your meeting the standard.

The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organisation that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organisation has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

The GDPR provides more privacy rights to EU individuals and places significant obligations on organisations. Some of the key changes are:

• Expanded rights for EU individuals: The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.
• Compliance obligations: The GDPR requires organisations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
• Data breach notification and security: The GDPR requires organisations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organisations.
• New requirements for profiling and monitoring: The GDPR places additional obligations on organisations engaged in profiling or monitoring behaviour of EU individuals.
• Binding Corporate Rules (BCRs): The GDPR officially recognizes BCRs as a means for organisations to legalise transfers of personal data outside the EU.
• Enforcement: Under the GDPR, authorities can fine organisations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
• One stop shop: The GDPR provides a central point of enforcement for organisations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. ATG's data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalise transfers of EU personal data outside of the EU. See our FAQ on our data processing addendum for more information.

You can find out more and keep up-to-date on the legislation via our GDPR blog series.