GDPR: What you need to know

What is GDPR? 

The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company that works with information relating to EU citizens (regardless of where the company is based) will have to comply with the requirements of the GDPR, making it the first global data protection law.  The GDPR considers any data that can be used to identify an individual is classed as personal data.  For example for the first time, things such as genetic, mental, cultural, economic or social information will be classed as personal data.

What does it mean? 

Companies will now have to ensure they use simple language when asking people for consent to collect personal data.  It will also be vital that companies explain exactly what personal data they are collecting and how it will be processed and used.

What is a data breach? 

A data breach occurs when a company uses an individual’s personal information without their consent or not for the purpose they gave consent for.  It aims to ensure organisations constantly monitor for breaches of personal data and have processes and systems in place enabling them to detect and respond to a data breach within 72 hours.

What is the 'right to be forgotten'? 

Organisations must not hold data for any longer than absolutely necessary.  They are also not allowed to hold data and change the use for which it was originally collected, without prior/additional consent from the individual.  Companies must also have the systems and processes in place to delete all personal data on an individual once requested and prove that this has been done.

What are the implications? 

Steep penalty fines are in place and companies can be fined 20 million Euros or 4% of company turnover, whichever is the higher for non-compliance.