What is the GDPR?
The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on May 25, 2018 and brings with it the most significant changes to data protection law in two decades. The primary goal of these changes is protection of personal data and rights, while meeting the requirements of the digital age.
The 21st century brings with it, the broad use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing of personal data, affording individuals stronger, more consistent rights to access and control their personal information.
Euro Pacific Bank (EPB) (‘we’ or ‘us’ or ‘our’) is fully committed to upholding the privacy and rights of our customers, including:
- Ensuring the security and protection of personal information that we process
- Providing a compliant and consistent approach to data protection
- Developing a data protection regime that is effective, fit for purpose, and demonstrates an understanding of, and appreciation for the new Regulation
We have always had a robust and effective data protection framework in place which complies with existing law and abides by the data protection principles. However, we recognize the requirement and importance of updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection Bill.
Our preparation plans for the GDPR have been summarized in this statement and includes the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum compliance at all times.
Frequently Asked Questions
When does the GDPR come into force?
The GDPR comes into force across the EU on the 25th May 2018 where it will replace the current data protection rules in each EU country.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to a specific data point (ex. name, ID number, etc.).
Does the GDPR only apply to EU organizations?
The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ ‘joint controllers’ and ‘processors’ of personal data. A controller determines the purposes and means of processing personal data (see Article 24 of GDPR). A joint controller shares pre-agreed responsibilities with another controller (see Article 26 of GDPR). A processor is responsible for processing personal data on behalf of a controller (see Article 28 of GDPR).
How is processing defined?
The GDPR definition of ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Will Consent be covered in the Terms & Conditions?
No, it is no longer satisfactory to have consent bundled into another document or agreement. It needs to be explicit and unambiguous, and recordable.
What data protection policies and procedures are required under GDPR?
The key data protection policies and procedures under GDPR include:
- Data Protection Policy
- Subject Access Request Policy
- Breach Management Policy
- Data Retention Policies
- IT Policy (usage of IT equipment)