The EU-Wide General Data Protection Regulation replaced the 1998 UK Data Protection Act.
GDPR came into force on 25 May 2018.
The Government has confirmed that the UK’s decision to leave the EU will not impact on GDPR.
In practice, all businesses who may be dealing with the PII (Personally Identifiable Information) of any EU resident should be concerned about GDPR & Their Business.
Controllers and processors of data need to abide by the GDPR and even if they’re based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
If processors are involved in a data breach, they are far more liable under GDPR than they were under the previous Data Protection Act.
The Regulation extends the rights of individuals over their data and imposes onerous responsibilities on organisations large & small.
Your business will almost certainly need to develop or update clear policies and procedures to protect personal data with appropriate technical & organisational security measures demonstrably in place.
GDPR will be enforced by The Information Commissioner’s Office
Fines can potentially reach €20Million
or 4% of Global Turnover
It includes everyone
Changes to consent
Affirmative consent to the processing of private data must be provided.
Mandatory Notification of Data Breaches
If the data is of a sensitive or high risk nature, then the data subject must also be informed.
Data processors now have their own legal obligations & responsibilities meaning that data processors can themselves be held liable for data breaches. Contractual arrangements between processors & controllers will need to be updated, stipulating responsibilities and liabilities between them.