What is GDPR?
After years of debate and preparation the General Data Protection Regulation (GDPR) will be enforced from May 25 2018. It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. It will be implemented in all local privacy laws across the entire EU and EEA region. It will apply to all companies selling to and storing personal information about citizens in Europe, including companies on other continents. It provides citizens of the EU and EEA with greater control over their personal data and assurances that their information is being securely protected.
Under the GDPR, individuals have:
- The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
- The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
- The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Will the GDPR affect my business?
Short answer, yes.
This new regulation will put the consumer in the driving seat and put the duty of complying onto businesses and organisations.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Meaning that even with the likes of Brexit looming, the UK will still have to adhere to the GDPR.
If a business fails to comply with the GDPR then it will face a fine of up to 4% of annual global turnover or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
What can I do?
One of the best ways to get ready for the GDPR is to allocate more resources towards it. Bring on professionals that specialise is data protection and cyber security. You can hire a permanent employee, or go down the contracting route to help in the short term. Whichever option you go for, our specialist recruitment consultants can find you the perfect candidate to help you get your business ready.
While You're Here Check Out Our Similar Articles: