The General Data Protection Regulation (GDPR) are a new set of legal requirements that govern the handling and storage of personal data.
They come into force on 25 May 2018 and affect all EU countries, replacing the existing UK Data Protection Act (DPA).
As the UK is leaving the EU in 2019, can I just ignore GDPR?
No. Even after the UK leaves the EU in 2019, GDPR will continue to apply and will be a legal requirement here in this country.
The new GDPR rules are complex and far-reaching so it’s best to seek expert legal advice on how exactly it will affect your particular business.
GDPR will significantly affect the way you can collect, store and use data.
It will also require your employees to undertake cybersecurity training and will limit the way you can contact your customers via electronic communications
In short, that means:
- You need to obtain explicit consent for personal data to be held – i.e. ‘opt-in’ rather than ‘opt out’
- Records need to be kept up to date, must not contain personal information that is not strictly necessary and must not be stored for longer than is required for the specified purpose
- Data must be more securely processed to protect against cyber-attacks
- Customers now have a ‘right to be forgotten’ – meaning that you must remove their data permanently on request
- Any breaches must be reported promptly and without delay
What do I need to do?
You need to make sure your business is compliant with the new rules by 25 May 2018. A failure to do so could be very costly, as the maximum fine for a breach of GDPR can be up to 20 million Euros or four per cent of your annual turnover.