GDPR: The basics explained and what it means for your agency
In May next year the EU General Data Protection Regulation or GDPR, will come into force and that means big changes in the way organisations collect, use and store Personally Identifiable Information (PII) in order to stay compliant and avoid large financial penalties.
Companies found to be in breach of the Regulation could face fines of up to 4% of their annual global turnover or €20 Million, depending on which is higher. With so much at stake, it’s important to understand the key changes and impact that GDPR will have.
The Regulations BIG changes:
- The rules for obtaining valid consent have been changed – All businesses collecting data, must ask for individuals consent and explain what that data will be used for. Consent documents/forms must be clear and laid out in simple terms. None response does not constitute consent.
- Data Subjects have the right to be forgotten – which means individuals can request that their data is deleted and not shared with third parties.
- Right to access – Individuals will be able to request that the business provides them with all the data held on them as well as information on how it is being stored and what it’s being used for.
- Data Protection Officers – Anyone holding or processing data will have to appoint a Data Protection Office
- Mandatory breach notifications – businesses will have to inform the ICO within 72 hours of first identifying a data breach
What information does GDPR apply to?
GDPR applies to both personal data and sensitive personal data. Personal data covers any data considered a ‘personal identifier’ meaning information that can be used to identify a person (Data Subject), including IP address, email, names, address and occupation. Sensitive personal data relates to information on a data subjects race, political opinions, religious believes and more.
Who does GDPR apply to?
The GDPR applies to all firms that handle customer data, no matter how big or small.
When does GDPR become law?
All businesses must ensure they are compliant by 25th May 2018, when GDPR will become law.