The new rules are intended to overhaul how businesses process and handle individuals’ personal data.
Until Britain formally departs from the European Union, the laws will effectively replace the old Data Protection Act (1998) when they come into effect on May 28.
Read below for everything you need to know about GDPR…
What is GDPR?
GDPR stands for General Data Protection Regulation, Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, upon which current UK law is based.
According to the EU’s GDPR website, the legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals.
It includes new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines.
What do businesses need to do differently?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA).
If you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
What is ‘consent’ under the GDPR?
You may have recently received emails from firms asking if you’d be happy to “stay connected” or apps asking that you “review your terms”.
That’s because, under GDPR, consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want.
If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What happens if a business breaks GDPR rules?
The GDPR grants regulators the power to fine businesses that do not comply with it.
In the UK, the Information Commissioner’s Office (ICO) would be able to levy fines of up to £8.8m (€10m) or two per cent of a firm’s global turnover (whichever is greater).
Those guilty of more serious breaches could face larger fines of up to £17m (€20m) or four per cent of global turnover.
These penalties are significantly higher than the £500,000 charges the ICO is currently able to dole out.