The EU’s GDPR stands for General Data Protection Regulation, simply put is the way a company can store, reuse or distribute a users personal data.
Following a successful vote by parliament in December 2015, the compliance deadline has been set for May 2018.
It was proposed by the European Commission to strengthen and unify data protection for individuals within the European Union. The main goal for the new regulations is to help users take control of their personal data and give back control to them.
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive.
Companies who are based in Europe need to follow the GDPR, but if your company is not based in the EU, but has customers based in Europe then you are also subject to the GDPR.
As a part of the new regulations, all EU citizens are granted full control over their personal data, including access, correction, and the right to be forgotten, including
"mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object." (GDPR Article 59)
This is based on GDPR Article 63
“A data subject should have the right of access to personal data,”
while the right to have corrections to the data made is in GDPR Article 65
“A data subject should have the right to have personal data concerning him or her rectified.”
Think about this the next time you’re fighting a credit reporting agency, and you’ll wish it applied to your own data.
“For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended." (GDPR Article 42)
As GDPR is a European Union directive, some are questioning whether or not it will still stand once the UK leave the EU.
Karen Bradley, Secretary of state for culture, media and sport said it will.
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public,” she said.
Elizabeth Denham, UK information commissioner agreed
“I acknowledge that there may still be questions about how the GDPR would work in the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018,” she said. “ We’ll be working with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.”
Take action now before it is to late, if you don’t comply with the new regulations by 25th May 2018, the following may apply depending on the severity of the breach:
Our best advice is to act now, don't put off the GDPR and find yourself rushing to action close to the deadline.
Take steps now to be ready for when this is implemented in May, advised Chris Coughlan, head of data protection and privacy at Ashfords. “It’s important to give someone ownership of this,” he said. “Start to try to streamline the data you have – if you find you have data you don’t need just delete it. Start mapping how data flows through your organisation."
He added that businesses should not assume they will not be affected by the changes. “Some firms have said they want to ‘wait and see’ what happens,” he said. “But that could be risky, as we know [Denham] has investigated many types of business, including small firms and charities, in the past.”
The deadline has been set to 25th May 2018, which is only around the corner. And once you start sorting out all of your data, you may have a larger task than you'd originally thought.