BrightPay Blog


Sep 2017

11

GDPR - what businesses need to know

Data protection and how personal data is managed is changing forever. On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force. The GDPR is a European privacy regulation replacing all existing data protection regulations.

Current data protection legislation in the UK dates back to 1998, predating current levels of internet usage and cloud technology, making it unsuitable for today’s digital economy.

The GDPR will apply to any personal data of EU cititzens, regardless of whether it is stored within or outside the EU. Most, if not all companies, process a level of personal data, whether it is customer details or employee details, therefore businesses need to be aware and plan for the new legislation.

What is Personal Data?

The GDPR substantially expands the definition of personal data. Under GDPR, personal data is any information related to a person, for example a name, a photo, an email address, bank details, their personnel file, or a computer IP address.

High Penalties

Ignoring the new legislation is ill advised as there are tough new fines for non-compliance. Companies or organisations found to be in breach of the legislation will face fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

GDPR & Brexit

The UK will not have departed the EU on 25 May 2018 and will still be an EU member state. The GDPR will consequently become domestic law and compliance will be mandatory.

Key Changes

Some of the key changes included as part of the GDPR include:

Consent must be clear, distinguishable from other matters and provided in an easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Breach Notifications; where a breach occurs, the Information Commissioner’s Office and affected data subjects must be notified within 72 hours of the breach coming to light.

Data subjects will have additional rights, including:

  • Access Rights: data subjects may obtain from a data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
  • Right to be Forgotten; data subjects will have the right to request that their personal data be erased, or ceased to be processed.
  • Data Portability: data subjects will have the right to receive the personal data concerning them, and the right to transmit that data to another controller.

To Do

If you haven’t already started planning for GDPR click here for guidance on how to prepare.