10 key facts about GDPR


There is lots of talk and hype around GDPR and what it means for your business.  We have looked at some of the key General Data Protection Regulation features and changes that you should know about and listed them below. 


Regulation vs. Directive: the new EU data protection regulation - (EU) 2016/679 of the European parliament / General Data Protection Regulation (GDPR) is a regulation. This means that the same regulation is passed and is applicable across all 28 EU member states i.e. there are no local “clones/interpretations” per EU state (as would happen in a directive).
Significantly increased fines: Companies can be fined up to €20 million or 4% of annual global turnover for breaches of data protection law. The level of fine imposed will depend on the seriousness or repeated nature of a breach. This will be determined by a local country’s supervisory authority.

As an early example of indicative fines: 1) Hampshire County Council – In August 2016, Hampshire County Council was hit with a £100,000 fine by the Information Commissioner’s Office (ICO) after documents containing personal details of over 100 people were found in a disused building. Files were found containing Social Care cases and complaints. The documents contained confidential information and sensitive (personal) data. It also found 45 bags of confidential waste in another locked room. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
The European Parliament’s press release highlights the GDPR’s provisions on clear and affirmative consent to the processing of private data by the person concerned, so as to give consumers more control over their private data. This could, for example, mean ticking a box when visiting an Internet website or by another statement or action clearly indicating acceptance of the proposed processing of the personal data. Silence, pre-ticked boxes, or inactivity will thus not constitute consent. It should also be as easy for a consumer to withdraw consent as to give it. The new GDPR also puts an end to “small print” privacy policies and information now should be given in clear language before the data is collected.
(Recital: 66) states ‘To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controllers should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures; to inform the controllers which are processing the personal data of the data subject's request.’
Direct accountability on processors and controllers of information: Under the old regulation, there was no obligations posted on processors (i.e. service providers) of data/information. Under GDPR, processors are directly accountable for data protection rules. This has a particular impact on Cloud providers, for example, that provide services containing EU residents’ data. The effects of the above can be mitigated by implementing a Content Management (CM) system. For example, details of who the processor is? Controller is? Data subjects involved in controlling? Categories of data? Sensitive data? Etc. are required to meet expanded compliance requirements.
Direct and indirect identifiers: In contrast to the old directive, GDPR puts beyond any reasonable doubt the criteria used in identifying persons and specifically includes ‘location data’ and ‘an online identifier’ (e.g. Unique Identifiers (UDIDs)) criteria.
Mandatory breach reporting: The GDPR imposes a requirement on data controllers to notify data breaches without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. This must be reported to the national data protection authority (the ICO in the case of the UK) ‘In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.’ You are exempt if the information is unlikely to cause personal harm or is high risk to the individual. Encrypted data will be exempt from reporting.
Establishment outside the EU/extra-territoriality: The directive will apply to all organisations, irrespective of a presence in the EU – i.e. if an organisation trades/offer goods and services within the EU, then it needs to comply with GDPR. The law therefore is applicable if you are established within the EU; or offer services to EU residents; or monitor the behaviour of EU residents.
Brexit is no excuse: As previously mentioned; even though the UK is in the midst of Brexit, it is highly likely that some, or even all, of the GDPR’s provisions may be transposed into UK law. Although the specifics are obviously not yet known, it is likely that this may be occur via an amendment to the Data Protection Act 1998 (DPA) or by repeal and enactment of new UK legislation.
Data Protection Officers: Entities will be obliged to appoint a Data Protection Officer (DPO) where, on a large scale and as part of their core activities, they regularly and systematically monitor data subjects or process sensitive personal data. SMEs (i.e. enterprise less than 250 employees) will be exempt where data processing is not their core business activity. An organisation employing fewer than 250 people is exempt from keeping records (unless it processes personal data classified as high risk).

The 3 main criteria under which you must appoint s DPO is (Article 35) is if your core activity in:
1. ‘large scale’ systematic monitoring of individuals;
2. ‘large scale’ processing of sensitive data; or
3. Mandatory for public authorities.

For reference, the exact mandate (Article 35) words are:

“(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.”

A DPO can either be a part-time role or combined with other duties. In performing the role, the DPO must however have an independent reporting line (like most compliance officers), be empowered and report directly to the Board without interference.
Download KYOCERA's GDPR Whitepaper
What is GDPR?


On the 25th May 2018, the European General Data Protection Regulation (GDPR) will supersede national laws such as the UK Data Protection Act, unifying data protection and easing the flow of personal data across all 28 EU member states.


Are your MFDs secure?


Printers and Multi-Function Devices (MFDs) are intelligent networked assets, that like a PC contain a screen, a keyboard, a hard drive (which can potentially store sensitive information), and an Operating System (OS). This makes them a key area to manage as part of your overall preparation for GDPR compliance.


Be prepared for GDPR


There are some very basic and core recommendations that KYOCERA suggests to “avoid the fine” and ensure that your organisation is compliant.


GDPR Web Page Spacer


Mon-Fri 8am - 6pm GMT


0845 710 3104



Scroll to top