The General Data Protection Regulation – or GDPR for short – is a regulation which is intended to strengthen and unify data protection for all individuals within the European Union. But how will this new regulation (which is set to apply from the 25th May 2018) affect you and your business? Here are a few things you need to know about it for your business to continue running smoothly.
It Applies to Everyone
I should start off by highlighting how this regulation will apply to companies worldwide that process the personal data of European Union citizens. I should also point out for UK based businesses that even though the UK is leaving the EU, if your company processes the personal data of any EU citizen, then you will still have to follow these new regulations.
Businesses will have to be crystal clear in explaining when asking for consent to use personal data and they need to be completely transparent by explaining how the said data will be used. Without valid consent, any data processing activities will be shut down by authorities. Furthermore, EU citizens will be able to exercise their right to erasure: to have data deleted without undue delay, to object to their data being processed at any time. In an event of non-compliance, your business can be fined up to a maximum of €20 million.1
Data controllers and processors will be required to keep records on what personal data is being stored and used and why. Furthermore, they must also record who can access that information, how long the information is being stored, where the information is being stored and the security measures in place to protect it.
Previously, only data controllers were liable under the Data Protection Act (1998). However, with this new regulation, data processors also share liability. This means that a whole other group of businesses now must comply with these new regulations. If your business touches any personal data, it will also share liability meaning you will have to comply with these new regulations to avoid being fined.
Data protection officers
If you run an organisation which undertakes the regular monitoring of individuals or large scale processing of an individual’s racial or ethnic origins, political opinions, medical information and/or information about criminal convictions, then you have a legal obligation to appoint a Data Protection Officer within your organisation. This person must have a working expert knowledge of data protection law for you to successfully adhere to the GDPR.
Although the actual date it takes effect is in over a year, you have no time to lose. For more information, I highly recommend checking out https://ico.org.uk/. The Information Commissioner’s Office has a plethora of information that can help you prepare your business to be GDPR ready.
1Data-8 Summary of GDPR: https://www.data-8.co.uk/resources/gdpr/