The General Data Protection Regulation (GDPR) has been around for a couple of years, however it becomes mandatory from 25th May 2018.
What is it?
Back in 1998 there was the Data Protection Act. It was designed to protect personal data stored on computers or in paper filing systems. Fast forward 20 years and the digital world is far from what it once was. Huge developments in technology, mobile tech, data collection and online activity have resulted in a large amount of personal information being gathered and stored.
The new regulation will apply to any organisation that collects data from EU residents or organisation that processes that data. The regulation also applies to anyone outside the EU when dealing with a person, business or country in the EU.
What does it mean?
Data handling procedures may need to be altered or changed completely. The Federation of Small Businesses (FSB) highlights a few key areas that businesses may need to look at to ensure they are fully prepared for the GDPR.
In particular they look at the rights of individuals enforced under the GDPR:
Right of access – individuals can request access to their personal data and ask how you make use of it.
Right to be forgotten – individuals can ask you to delete or remove their personal data where there is no good reason to hold it.
Right to be informed – individuals must know how you intend to use their data when it is being gathered, and they must freely give their consent to it.
Right to restrict processing – individuals may allow you to store their data but can state you are not allowed to process that data for any reason.
Fines for not following the rules of the GDPR can be up to 20 million euros or 4% of worldwide turnover, whichever is higher.
Many organisations will already have rules in place regarding the management of data, however they may need to make some adjustments under the GDPR.