General Data Protection Regulations (“GDPR”)
October 27, 2017
GDPR is the new European directive which comes into force on 25 May 2018. It will affect every organisation which processes an individual’s personal data.
- GDPR – what is it?
- When is coming into force?
- Who will it affect?
If you don’t know the answer to any of the above three questions then in the words of Douglas Adams DON’T PANIC. However, do read on.
GDPR is the new European directive which comes into force on 25 May 2018. In the UK this will be through the government’s Data Protection Bill. It will update the current Data Protection Act which is now almost 20 years old. The main purpose of GDPR is to give individuals greater rights and protection over their personal data.
GDPR will affect every organisation which processes an individual’s personal data. Processing personal data is not limited to collating and transferring data, but includes holding and storing it. That has not changed with GDPR. A summary of the key ways in which the protection of data will change is as follows:
- GDPR will extend to all companies wherever they may be established in the world, and wherever the processing may take place, if they supply services to or monitor the behaviour of individuals in the EU.
- Organisations can be fined up to 4% annual global turnover, or €20 million (whichever is greater), for the most serious infringements, such as not having proper customer consent.
- Obtaining consent from an individual must be clear and distinguishable, and provided in an intelligible and easily accessible form which sets out the purpose for the data processing.
- It must be easy for an individual to withdraw consent.
- An individual has a right to access their personal data free of charge, and to have their data erased, or transported over to another data controller.
- Personal data will be expanded to include things like IP addresses, internet cookies, DNA.
- Privacy by design. Data protection must be included in the design of a new system (whether technical or organisational), to ensure data is not held any longer than necessary and which limits access to only those who need it.
- Breaches must be reported within 72 hours.
To be GDPR compliant you should analyse the data you hold and the reasons for holding it, and conduct an audit of your systems, processes and policies. If you are not GDPR compliant come May next year then you face potentially disastrous consequences. It is not just a fine, but a serious breach will put your reputation and goodwill at risk as well. Just ask those who have been unfortunate enough to have suffered from breaches of the existing data protection regulations. GDPR is coming. Are you ready?
If you would like further information about GDPR or to discuss specific queries, please contact our Data Protection lawyers, Carl Robinson or Zane Shihab.
This article is for general information and is not given by way of legal advice.