How GDPR affects companies processing personal data.
The EU’s new General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. GDPR amends existing data protection laws across the EU and provides greater regulation around how businesses hold and process consumer data. Any company that processes personal data (such as name, address, employment history credit rating, income etc) will need to comply with the GDPR or risk sizeable financial penalties. Some elements of the GDPR are set out below.
The content of this article is not legal advice. You should consult a legal advisor on your GDPR responsibilities.
Consumers must knowingly and actively consent to being sent marketing emails from a company. This consent must be given on an opt-in basis by using unticked boxes.
2. Right to object
If asked by a consumer (ie data subject), a company (ie data controller) must stop processing data for direct marketing purposes. They must also stop any processing that is based on consent if the consumer withdraws their consent.
3. Breach notification
Data breaches must be notified to the ICO within 72 hours, and may also need to be notified to individuals if the breach is serious.
4. Individual rights
Consumers have various individual rights – the right to see a copy of all personal data being processed about them, the right to have their data deleted in certain circumstances, and the right to have a copy of their data in a machine readable form.
5. Privacy by design
Appropriate privacy controls and measures must be built into any system that processes personal data.
The fines for non-compliance with the GDPR are much higher than under existing data protection laws. They have increased from a maximum of £500,000 to a maximum of 4% of a group’s global annual turnover. This obviously increases the risks associated with non-compliance.
7. Data protection officers
Certain businesses will be required to appoint a data protection officer.