What is it?
On 25 May 2018, the General Data Protection Regulation, a major piece of new EU legislation, comes into effect. The GDPR concerns data use and aims to strengthen and standardise privacy laws across the EU. It will give control of personal data back to consumers through tighter controls over those who host and process such data.
The GDPR seeks to protect the privacy rights of people in Europe regardless of where their data is collected. This means that it will apply to all individuals and companies the world over who hold any data on EU citizens. Essentially, it will become the international standard on data privacy.
What does it mean for me?
The scope of the GDPR is massive. It covers any individual, organisation or company that either ‘controls’ or ‘processes’ the personal data of EU citizens. If you, your business or your organisation stores any data about EU citizens, then the new legislation will apply to you, and you will need to ensure you comply with it. “Data” in this sense includes any information that could potentially be used to identify an individual, such as contact information, marketing preferences, order history, an IP address, transaction information and much more besides.
If you collect what the EU defines as “sensitive personal information” on your clients (for example, their religious or political views, their sexual orientation or ethnic origins), the rules are even more stringent and such data must be the subject of rigorous security.
Failure to comply with the new legislation can result in fines of up to 4% of a company’s annual turnover, so it is important to ensure you are covered.
How do I comply?
All companies that handle personal data must now consider exactly what kind of information they hold, where they hold it and who has access to it. Any employees who handle personal data must be made aware of the new legislation.
Companies are expected to update their existing data protection policies to make it transparent to their customers what information is held, how, and why. Customers must be given the ability to correct, delete or transfer personal information held about them on any company system.
Companies must obtain the explicit consent of their customers to hold data, and maintain a record of this consent.
What – ALL my Data???
Before you start having palpitations over the implications of the GDPR, there are a few very sensible caveats to the need to obtain explicit consent. Here’s how it works. You do not need explicit consent for any data that you store:
- to fulfil a contract
- in the pursuit of legitimate interests: (ie, data that’s necessary for a company to be able to operate)
- to meet a legal obligation
- to carry out a public task (ie, certain data needed for schools, hospitals etc)
- for vital interests (when it could save a life to do so)
So, if the only data you hold and store is used to carry out your day-to-day business, is legally or contractually required, serves a public task, or could be life-saving, you don’t need to worry about obtaining consent for it. Phew!
However, you can only make the argument that it is in your legitimate interests to use or store data when the person concerned has legitmate reason to expect that you will process or hold their data.
More broadly, the GDPR is likely to be the start of a paradigm shift in attiutdes towards data, and everyone should take some time to think about its implications for them.
Can you help???
IMPORTANT INFORMATION: This article does NOT constitute legal advice, which Port 80 Services is in no way qualified to give. We strongly recommend seeking professional legal advice to ensure you comply with the GDPR.