When

The EU-Wide General Data Protection Regulation replaced the 1998 UK Data Protection Act.

GDPR came into force on 25 May 2018.

Article 50 : BREXIT : Image CC0 Pixabay

The Government has confirmed that the UK’s decision to leave the EU will not impact on GDPR.

Who?

In practice, all businesses who may be dealing with the PII (Personally Identifiable Information) of any EU resident should be concerned about GDPR & Their Business.

Controllers and processors of data need to abide by the GDPR and even if they’re based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.

If processors are involved in a data breach, they are far more liable under GDPR than they were under the previous Data Protection Act.

GDPR : General Data Protection Regulation : Image CC0 - Pixabay
GDPR has been introduced to ensure conformity of Data Protection across Europe. Its scope is much wider than the previous Data Protection Act and it’s intended to take into account the modern digital environment in which we all work, live & play.

The Regulation extends the rights of individuals over their data and imposes onerous responsibilities on organisations large & small.

Your business will almost certainly need to develop or update clear policies and procedures to protect personal data with appropriate technical & organisational security measures demonstrably in place.

GDPR will be enforced by The Information Commissioner’s Office
Fines can potentially reach €20Million
or 4% of Global Turnover

It includes everyone
The GDPR applies to all businesses – within or without the EU – that hold or process personal data on EU Citizens
Changes to consent
The rules around obtaining consent from data subjects has been tightened up. No longer can consent be implied. Consent notices must be clear & simple, easy to understand and silence or inactivity does not constitute consent.

Affirmative consent to the processing of private data must be provided.

Mandatory Notification of Data Breaches
By Law, Data Breaches must be reported to The Information Commissioner’s Office within 72 hours of the breach being discovered.

If the data is of a sensitive or high risk nature, then the data subject must also be informed.

Shared Responsibility
Both Data Controllers and Data Processors are now responsible for the safeguarding of subject data.

Data processors now have their own legal obligations & responsibilities meaning that data processors can themselves be held liable for data breaches. Contractual arrangements between processors & controllers will need to be updated, stipulating responsibilities and liabilities between them.