Data protection and how personal data is managed is changing forever. On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force. The GDPR is a European privacy regulation replacing all existing data protection regulations.
Current data protection legislation in the UK dates back to 1998, predating current levels of internet usage and cloud technology, making it unsuitable for today’s digital economy.
The GDPR will apply to any personal data of EU citizens, regardless of whether it is stored within or outside the EU. Most, if not all companies, process a level of personal data, whether it is customer details or employee details, therefore businesses need to be aware and plan for the new legislation.
What is Personal Data?
The GDPR substantially expands the definition of personal data. Under GDPR, personal data is any information related to a person, for example a name, a photo, an email address, bank details, their personnel file, or a computer IP address.
Ignoring the new legislation is ill advised as there are tough new fines for non-compliance. Companies or organisations found to be in breach of the legislation will face fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
GDPR & Brexit
The UK will not have departed the EU on 25 May 2018 and will still be an EU member state. The GDPR will consequently become domestic law and compliance will be mandatory.
Some of the key changes included as part of the GDPR include:
Consent must be clear, distinguishable from other matters and provided in an easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Breach Notifications; where a breach occurs, the Information Commissioner’s Office and affected data subjects must be notified within 72 hours of the breach coming to light.
Data subjects will have additional rights, including:
If you haven’t already started planning for GDPR click here for guidance on how to prepare.