GDPR (General Data Protection Regulation) is a new EU directive coming in to force on 25th May 2018, it replaces the existing 1998 Data Protection act.
Much of GDPR could be considered just good ‘data hygiene’ which most companies should already be doing:
- Only store what is required
- Always ask for permission to store personal data
- Remove data you no-longer have a reason to keep or are told to remove
- Keep everything secure
However there’s a few points that need that warrant further discussion. Here’s what you need to know.
Even though this is an EU regulation if a company is based outside the EU but has customers inside the EU then it has to comply with GDPR. This means basically everyone.
Whenever a company want to hold personal data about someone they have to explicitly request permission and not in any round-about or nefarious way. They have to be up front and transparent about what they’ll hold and why they need it.
Right to Be Forgotten
This one is key for consumers, if you want your data deleted then if there’s not legitimate reason for a company to be holding your data then they have to delete it. As with most of GDPR this is open to interpretation but a valid reason for someone to hold your data may be if you’ve entered into a contact with them.
Notification of a data breach
Data controllers will have to notify Data Protection Authorities within 72 hours of a breach.
Penalties and fines
It would be unusual for regulation like this to specify specific fines but the EU clearly want to show they mean business. I quote “monetary penalties from 2% up to 4% of the total worldwide annual turnover, yet not less than 10 to 20 million Euro”.
Obviously this is just our take on what is a very complex issue, so it this impacts you or your business, do your own research using official sources and or qualified professionals.
Official EU Homepage for GDPR - https://www.eugdpr.org/
Symantec - https://www.symantec.com/en/uk/campaigns/data-privacy