How will the General Data Protection Regulation affect your business?
The General Data Protection Regulation (also known as GDPR) was approved by the EU Parliament in April 2016 and the UK government has confirmed that despite Brexit the GDPR will be implemented in the UK from 25 May 2018. The GDPR will affect how businesses process and protect personal data and it is essential that businesses take steps to ensure that they comply with the GDPR. Danielle Austin, highlights what you need to know to ensure you are ready for the GDPR?
The GDPR will place a statutory obligation on businesses who control or process personal data. If your business is currently subject to the Data Protection Act 1998 then it is likely that it will be subject to the GDPR. Personal data includes names, photos, email addresses, posts on social networking or computer IP addresses. All personal data must be processed lawfully, limited to a minimum amount and be kept in a form that permits identification of the individual for only as long as necessary.
The main change introduced by the GDPR from previous data protection legislation is that businesses must explicitly gain consent to process an individual’s personal data. This consent must be expressly granted, cannot be inferred from silence or pre-ticked boxes and must be separate from any other terms and conditions. Businesses must also ensure that it must be as easy for an individual to withdraw their consent as it is for them to grant it.
Another provision of the GDPR is that individuals have the right to be forgotten. This right of ‘erasure’ provides individuals with the right to request for their personal data to be erased in circumstances where the personal data is no longer necessary for the purpose it was originally obtained or where an individual withdraws their consent to their personal data being processed.
Businesses are required to demonstrate that they comply with the GDPR by means such as having and implementing suitable internal policies and in some cases by appointing a data protection officer.
If businesses do not comply with the GDPR then penalties will apply which can include a business being fined up to 4% of its annual global turnover up to a maximum of €20,000,000. It is therefore important to ensure that you are ready for when the GDPR is implemented to ensure that your business is compliant.