Privacy law is changing from 25th May 2018 onwards. The aim is to harmonise rules across the European Union relating to the protection of personal data and to make them fit for purpose in the digital era. There has been significant fanfare but what does GDPR really require a business to do?
Data protection law already exists of course and many of the requirements of GDPR will be familiar to companies however there are some significant changes that are altering the framework through which businesses may process personal data.
- companies now need to ensure that individuals have given informed, affirmative consent to the processing of their data and businesses need to be able to demonstrate that this consent has been given
- individuals will have a right to be informed of the use of their data, through clear and transparent privacy notices
- access to data in order to verify its accuracy now has to be provided more quickly than with previous legislation
- if data is inaccurate an individual now has the right to rectification or erasure
- individuals may object to certain uses of data, for example for the purpose of direct marketing or processing for statistical purposes
- where there is a data breach, the relevant supervisory body must be notified without undue delay
- fines can be imposed for a failure to comply with GDPR equivalent to as much as 4% of the annual turnover of a business.
The arrival of these 21st century data protection rules is happening this month. This is a regulation with teeth and we recommend that all sized businesses review their existing arrangements for data protection and do so without delay.