This May a new law from the European Union will come into effect in the UK. The General Data Protection Regulation, or GDPR, will apply to all companies which process EU citizens’ personal data (for example greeting card purchasers) and seeks to tighten up the rules relating to storage and transfer of those people’s private information.
The GCA has issued a simple guide to the new regulations drawn up by the GCA’s legal advisors Steeles Law.
The aim of GDPR is to ensure that personal data is sufficiently protected by organisations which hold it and enable the prosecution of those that don’t. It is hoped that this will reduce the risk of large data breaches in future and increase the public’s confidence in how companies treat its personal data. In the long term, it could help prevent sensitive personal information ending up in the hands of cyber criminals.
The GDPR introduces new responsibilities and duties of which businesses will need to be aware. The greatest challenge facing businesses may well prove to be gaining direct consent to collect individuals’ fresh personal data. It will have to be clear how the information will be used and silence or inactivity no longer constitutes consent from the individual.
However, there are far less stringent requirements when it comes to current clients. The definition of ‘data’ has been widened to include almost any form of information about an individual. Companies must only store data for as long as is absolutely necessary and only use the data for the purpose for which it was originally collected. Another notable change is the obligation to delete data if a request to do so is received by the data subject. Ultimately, it seeks to increase accountability and transparency within businesses by asking them to put data protection at the heart of company strategy.
In reality, the practical effect of the new law will require you to consider the risk of a future data breach, the severity of that potential breach and adopt sensible procedures to sufficiently minimise the risk. A review of your data protection policies is therefore encouraged, and they may well require updating to reflect the introduction of the new regulation.