The new General Data Protection Regulation (GDPR) is set to come into effect on 25 May 2018, and will require all organisations that deal with individuals living in an EU member state to protect the personal information belonging to those individuals, and have verified proof of such protection.
Under the new regulation, firms must be accountable for their data usage, and must identify a lawful basis for processing personal data. The GDPR builds on existing principles under the Data Protection Act, and also introduces some additional rights.
The new regulation applies to processing carried out by organisations operating in the EU, and also to those offering goods or services to individuals who reside in the EU. The UK’s decision to leave the EU will not affect the introduction of the GDPR, so it’s essential that your business is prepared.
Businesses are strongly advised to review their data privacy and security practices, to help ensure they are compliant. You may wish to provide GDPR training to your employees, and review your procedures relating to consent, requesting fresh consents from customers where necessary. The financial penalties for non-compliance with the GDPR are severe, with fines costing up to €20 million, or up to 4% of total annual worldwide revenue, whichever is the greater.
Further guidance can be found on the Information Commissioner’s Office website: www.ico.org.uk.