Regulation (EU) 2016/679 of the European Parliament and of the Council, more commonly referred to as the General Data Protection Regulation (GDPR), is a piece of binding EU legislation that will come into effect from 25th May 2018. It has taken four years to introduce and brings data protection legislation in line with the modern methods of handling and processing data.

Here in the UK, the legislation will replace the existing Data Protection Act 1998 and is the most fundamental change to data protection law for almost two decades.

What information does the GDPR apply to?

The GDPR covers any form of ‘personal data’; this being any piece of information from which an individual can be directly or indirectly identified. In addition to traditional personal data, such as name and address, the EU has expanded the definition of personal data to reflect our modern behaviours. Online identifiers, such as IP addresses, are therefore now also considered to be personal data.

Who does the GDPR apply to?

‘Controllers’ and ‘processers’ of data that belongs to EU residents are covered by the GDPR. The differences are defined as follows in Article 4 of the regulation:

• Controller: The
  natural or legal person, public authority, agency or other body which, alone or
  jointly with others, determines the purposes and means of the processing of
  personal data
  
• Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  

In most cases, a data controller will be an organisation, business or charity, but can also be an individual, who collects and shares personal data about their own staff, customers or members of the public. The data processor is a company or individual, for example an IT firm or outsourced call centre, who are employed to process the data on behalf of the data controller.

Can data subjects restrict the sharing of their data?

Yes, the conditions for what constitutes consent have been strengthened. Data subjects must now provide ‘explicit’ consent in order for the data processor to use their data. Organisations will no longer be allowed to use long and complex legal jargon. Instead, they must provide an intelligible and easily accessible form.

What are the consequences for failure to adhere to GDPR?

Organisations that fail to adhere to the GDPR can be fined up to 4% of their annual global turnover, with a maximum fine of €20 Million for the most serious infringements. These fines can be applied to both controllers and processors.

For more information on how to prepare your organisation for compliance with the GDPR legislation, please get in touch. You can call us on 0203 2878 243 or email info@priviness.eu.

Back To all catagories