What is General Data Protection Regulation (GDPR)?
In short, the General Data Protection Regulation (GDPR) is a set of European regulations on how EU citizens’ data is handled. In general, the rules are more strict than before and there are significant fines and penalties if you do not take care to familiarise yourself with the new legislation.
Does it apply to my business?
The General Data Protection Regulation (GDPR) will apply from 25 May 2018.
If you are processing (handling) or controlling (making decisions about) any personal data (for example names, addresses, emails, phone numbers, IP addresses etc.) of an EU citizen, then you will be affected by these changes. This includes businesses that are not necessarily based in the EU and the data is not limited to your clients but also includes employees, suppliers and other partners. There is a separate group of ‘special categories’ of personal data for things like ethnic background or religious views.
Furthermore, the government has indicated that this legislation and the Data Protection Regulation will remain in full force after Brexit.
What do I have to do?
There are 11 chapters and 99 separate articles in the new General Data Protection Regulation (GDPR) legislation. There are various legal reasons you can have for processing data (contract/legal obligation/vital interests/public task/legitimate interests), but generally speaking, the most important one for most small businesses is that of consent.
Consent to handle data needs to be clear, specific, explicit and freely given, so it cannot be hidden in small print or involve a default ‘opt-in’ position.
Additionally, data must be deleted or anonymised after a certain period of time. People will also have the right to access all the personal data you hold on them at any time, or request that you delete the data you are storing on them, so it is important that it is stored in an organised and comprehensible fashion to be accessed quickly and easily.
What are the penalties for non-compliance?
Businesses that breach the new Data Protection Regulation are open to substantial fines of up to €20 million or 4% of your company’s annual global turnover (whichever is larger), so clearly these rules are not to be taken lightly. It is also worth bearing in mind that an individual who suffers as a result of poor data management can sue you for damage.
How can we help?
If you are unsure about what steps to take next, our lawyers are on hand to point you in the right direction.
Our comprehensive and competitive advice on the General Data Protection Regulation (GDPR) compliance includes, but is not limited to:
- Update your website to comply with GDPR
- Provide a list of action points to anonymise online payments
- Advise on anonymising inactive customers and prospects
- Consult on data mapping
- Provide full-scale, comprehensible information about “Right to Access” and “Right to be Forgotten”
- Additional services, such as training your staff
For expert advice and assistance, please contact our lawyers on tel. +44(0)20 7822 8599 and by e-mail: firstname.lastname@example.org