The GDPR is designed to allow individuals to more effectively control their personal data. These updated regulations will also allow businesses to make the most of the opportunities of digital markets by improving public trust and harmonising data protection standards across Europe. The regulation will come into force on 25th May 2018.
What is the GDPR? In simple terms, it:
- Applies to personal data — any data that relates to or can be used to identify a person in any way
- Controls what can be done with personal information
- Requires that consent is given or there is a good reason to process or store personal information.
- Gives a person a right to know what information is held about them.
- Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
- Makes sure that personal information is properly protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
- If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
- Data cannot be used for anything other than the reason given at the time of collection.
- Data is securely deleted after it is no longer needed.
- Allows national authorities to impose fines on companies breaching the regulation. These fines can be up to €20 million or 4% of the businesses global turnover — whichever is higher.