The General Data Protection Regulation (GDPR) is a new EU regulation on data protection that is coming into force on May 25 2018. It affects everyone who does business with EU citizens and will affect business of all sizes. The Regulations deal with the holding and processing of personal data of Europeans. The new Regulations will mean:
- Genetic and biometric information will be included in the definition of 'sensitive data'
- Explicit consent may be required before someone's data can be transferred outside the EU
- Consent will be harder to obtain and can be withdrawn at any time
- A new 'right to be forgotten' could allow someone to request that content they are linked to is removed
- Using personal data must comply with one of six principles and an organisation must be able to demonstrate how it is complying
- A user’s IP address may be classified as 'sensitive personal data'
- More information must be included in a privacy notice
- Companies may be required to appoint a data protection officer
- Breaches of data protection must be reported within certain time limits, usually between 24-72 hours
- Supervisory authorities (like the Information Commissioner’s Office) can issue fines of up to 4% of global annual turnover for data breaches
The new rules will apply to businesses based in the EU, but also to any business offering goods or services to, or monitoring individuals in, the EU.
Businesses that may be affected have been advised not to wait until May 2018 to consider how the GDPR may impact on its business and the data it holds. Organisations have been advised to carry out a full audit to consider:
- the impact of the GPDR
- whether any processes need to be redesigned
- whether contracts need to be renegotiated
- what policies and systems need to be altered
- what training across the organisation is required
To discuss this or any other company / commercial matter, contact us.