The EU General Data Protection Regulation (GDPR) comes into force on May 25th, 2018 and will herald the biggest change in the way businesses handle customer data in decades.
While it is being implemented in the EU, replacing a raft of existing data protection laws including the one current UK law is based on, it also applies to any businesses with customers IN the EU, so in reality will have a worldwide impact.
The GDPR will harmonise data protection laws, as well as notably giving greater protection to individuals about how their personal data is used, and their rights over it.
In a nutshell, individuals have a raft of new rights to access the information companies hold about them. Businesses, in turn, are expected to comply with the new regulations – and will be subject to hefty fines if they don’t.
So, what does all this mean in practice? Essentially, if you handle customer data – and especially if you are already subject to the UK’s Data Protection Act 1998 (DPA) – then GDPR will affect you.
Many of the new rules are around accountability in the wake of massive breaches such as those suffered by Yahoo and Equifax. So, companies handing personal data are expected to show that they are taking care of it, and how they are processing it – as well as notifying the relevant authority within 72 hours if they suffer any form of data breach.
Some bigger companies will also need to document details such as why people’s information is being collected, and what exactly is being held. Those that process large amounts of data will be required to employ a data protection officer (DPO).
After decades in which personal data has been seen as the new oil, and up for grabs by whoever can get to it, the GDPR also gives a lot more rights to individuals. So, they can request what information a company has on them, request companies remove their details under a new ‘right to be forgotten’ and also request their data in a machine-readable format for a move to another supplier, e.g. in telecoms.
Designed to be fit for purpose in an age in which so much more of our lives are online, the GDPR will be a game changer – but needn’t be feared.