The GDPR is a new EU data protection law that will come into effect on the 25th May 2018 and will be replacing the current Directive (95/46/EC). The aim of the GDPR is to protect citizens’ private information and to strengthen the rights of EU citizens by introducing new rules relating to data protection, in particular in view of the vast developments made in data creation and gathering. The new regulations will change the way in which businesses store, manage and process personal data. Businesses need to ensure they compliant by May 2018.
Businesses that process consumers’ personal data will need to comply with the new obligations which include.
- Explicit consent is required from individuals if you hold data about them
- Data processors will be required to maintain records of personal data and processing activities
- Ensure that data protection and privacy requirements are built into the development of their business processes and systems
- Businesses need to have internal processes that will allow them to report and manage communications with affected consumers quickly and accurately (within 72 hours)
- Businesses need to have processes in place to comply and reassure that rights such as the right to be forgotten, the right to data portability and the right to object to data profiling have been adhered to
- A Data Protection Offices has to be appointed in cases where a business conducts large scale systematic monitoring (including employee data) or processes large amounts of sensitive personal data
- Businesses need to know what data they hold and where it is, otherwise they might risk being in breach of the GDPR, which will result in incurring substantial penalties
