The new General Data Protection Regulation (GDPR) was adopted by the EU Parliament in April 2016 and will come into force without any further process in May 2018. Whilst this is a piece of EU legislation, companies in the UK will be required to comply with it if they process or store information about EU citizens, (for example selling to them, or holding other data about them), regardless of the outcome of the ongoing Brexit negotiations.
Any company, regardless of where they are located, that sells goods or services to EU citizens must comply with GDPR. The fines are significant for non-compliance – up to 4% of global annual turnover, or €20 million, for the worst offences. The rules cover a very wide spectrum of data that might be used to identify someone including photos, name, address, an email address, posts on social media, an IP address and any other information that could tie a person to their data (the ‘data subject’). Data Controllers and Data Processors must be aware of their responsibilities under the regulation. The rules for consent relating to the processing or storing of personal data have been significantly strengthened and many organisations will need to make changes in order to accommodate them.
The right to access data held is much stronger than it was previously and represents a major shift towards transparency. The right to be forgotten is also an important element of GDPR and will require data controllers to delete data held (and potentially stop third parties from processing elements of the data) not just because the data subject has withdrawn consent, but also if the data is no longer relevant to the original purpose for processing.
There are many other implications for GDPR and companies must be ready for them by May 2018 or risk fines for non-compliance. Are you ready? Do you know if you are ready? Do you need help? Contact Corozon today for help with your GDPR compliance.