If you haven’t heard about it already, GDPR stands for General Data Protection Regulation – It is a regulation is EU law on data protection and privacy for all individuals within the European Union. GDPR replaces the 1995 Data Protection Directive and is coming in to force on 25th May 2018.
The Information Commissioners Office (ICO) has published a number of steps to take now to prepare for the new rules. The first step is to create awareness and make sure that all decision makers in your business are aware of GDPR and what this means for your company.
Next, you should complete an information audit – detailing all the data you hold, where it comes from and who it is shared with. Once this is complete, privacy notices should be reviewed and any necessary changes made to these notices before GDPR comes in to effect.
Individual right’s are a key factor in the new data protection rules. Procedures need to be put in place so that individual’s are able to access the personal data that companies hold on them and there needs to be a way to remove and delete this information on request. Consent is a major part of GDPR – How a company gets, records and manages consent needs to be made clear.
Examples of personal data
Any data that can be used to identify an individual is considered personal information. This can be:
- Email address
- IP address (used for Google Analytics tracking)
How does a website collect personal data?
Some examples of personal data collection via a website are:
- User registrations
- Contact form entries
- Any other logging tools and plugins
Penalties for non-compliance of GDPR Data Protection
The financial penalties for non-compliance are higher than the old Data Protection Act. There’s an upper limit of 20 million euros or 4% of your annual global turnover, whichever is greater. Authorities can also:
- Issue warnings
- Carry out audits
- Demand that you fix within a strict deadline
- Demand that you erase data
- Stop data transfers to other countries