Replaces the Data Protection Act
This is a new EU regulation covering the processing of personal data. It’s effective from 25th May 2018 and replaces the existing Data Protection Act (DPA). It’s enactment is not affected by Brexit. You may have seen in the press, the fines for non-compliance are hefty, up to 4% of annual global turnover or €20 million – whichever is greater. Here is a short, but by no means exhaustive guide to what you should know.
Why the change
This is a new pan European regulation, replacing countries individual data protection laws. In this respect it should help companies operating across borders. Such companies will only have to be regulated by the authority where they are based. The legislation reaches further, covering all organisations in the EU as well as those outside that process and control the data of EU citizens.
Many points are not new being part of the existing DPA. But, with GDPR, there is more detail, a wider scope and changes to reflect digital developments.
The act also covers, data security, system integrity and awareness. In the event of a data breach you must notify the authorities and individuals.
Here is a list of some aspects to consider.
- It covers all data traceable to an individual however stored including card files etc.
- Consent. It defines stricter criteria for obtaining permission, pre-ticked tick boxes for example are not permissible
- Inform. Why the data is held and what it is used for
- Access to data. Individuals (as with DPA) can access data held on them, the DPA charge of £10 can no longer be made
- Inaccuracies. The individual right to request inaccuracies are corrected
- Erasure. Request that data held can be deleted or forgotten
- Portability. Data has to be portable, allowing it to be transferred
- Restrict. Individuals have the right to stop their data being used, e.g. marketing, research
Most companies handle data relating to individuals. This includes staff and customer information as well as prospect lists you may email, as such they are under the scope of GDPR. Under the legislation you will be expected to have good reasons as to why have this data, be able to account how you collected it and to have measures in place to keep it secure. Lists purchased for marketing purposes are unlikely to conform.
If you are in any doubt, it is strongly recommended that you contact a specialist to ensure you are fully compliant.