In this blog Darren Craig, answers the top four questions on the upcoming GDPR legislation, explaining what it is, when it comes into force, how things will change on day one, and why Brexit doesn’t matter either way.
As an independent expert to the European Commission and Associate Partner at Northdoor, I’ve been speaking to a lot of clients and prospects about this upcoming change to data protection and privacy laws, and pretty much everyone has at least the same four questions.
What is it?
The General Data Protection Regulation (GDPR) is new European regulation designed to give citizens greater control over their personal data and to protect it from loss or misuse. It replaces the existing DPA regulation in the UK, and it applies to essentially any organisation that holds data on citizens of member states of the European Union. So, if you have customers, employees or partners who are EU citizens, you’ll be impacted.
As well as requiring companies to collect, store and use personal data securely, fairly, accurately and responsibly, GDPR legislation gives individuals new rights in eight key areas:
to be informed about the data you hold on them
to access the data
to rectify it
to delete it
to restrict how you process it
to take it elsewhere
to object to its usage
to have it excluded from automated decision-making and profiling
When does it come into force?
This is an easy one: 25th May 2018.
How will things be different on day one of GDPR?
Not everything is clear yet: GDPR is a refreshingly short legal document – fewer than 100 pages – but that brevity leaves a number of points open to interpretation!
What is already clear is that all organisations need to revisit their processes for seeking, storing and managing consent from EU citizens for use of their personal data. (Note that “personal data” is defined in the GDPR as any information (e.g. an IP address) that could be used to identify a natural person). A key principle is that GDPR requires users to opt in to the use of their data (where the current DPA simply protects their right to opt out).
The other major change is that you’ll need to be prepared to respond rapidly (but no set turnaround time is specified) to requests from EU citizens to access, update, correct or delete their data.
Why does Brexit not affect GDPR?
For the time being, UK citizens remain EU citizens. Regardless of what ultimately happens in the ongoing Brexit negotiations, the UK government plans to adopt the same legislation for UK citizens. And even if the UK law ends up being different, any organisations dealing with EU citizens (regardless of the location of that activity) will still be required to comply with GDPR.
For more information
If you’d like to know more about how GDPR will affect your organisation, and how to prepare for it, please opt in below. (You see – we’re getting a head start!)
