The European Union will shortly be implementing the General Data Protection Regulation (GDPR), agreed over three years of hard negotiations and lobbying.
It will become law in all member states (including the UK should we remain in EU), with a two-year transition period. From summer 2018 all those gathering, processing or holding data will be bound by its terms.
Briefly some of the main requirements of the new regulation are:
Consent to the processing of personal data must be given freely, it must be specific, informed and unambiguous. Consent will not be held to have been freely given if the subject had no genuine and free choice.
Those outside of the EU who are targeting customers within the EU either by offering goods or services or by monitoring the behaviour of those within the EU will be subject to the GDPR.
Data controllers must keep records and be able to demonstrate compliance.
Where there is a data breach resulting in a risk to rights and freedoms of the data subjects, the breach must be notified to the Data Protection Agency without undue delay.
A range of penalties will be imposed for failure to comply with the GDPR, with the most severe breaches being liable to a fine of 4% of annual worldwide turnover.
Companies should start considering how they will be implementing the GDPR well before the 2018 deadline.
They should be aware of the legal basis on which they have requested, processed and kept data and should understand and respect privacy rules. Procedures should be in place to deal with any data breaches.
Putting good practices into place will take time, and to avoid last minute complications the smart business will be looking at their policies now.
If you're looking advice on how GDPR affects your business, get in touch.