The EU’s new General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. GDPR amends existing data protection laws across the EU and provides greater regulation around how businesses hold and process consumer data.
Any company that processes personal data (such as name, address, employment history credit rating, income etc) will need to comply with the GDPR or risk sizeable financial penalties. Some elements of the GDPR are set out below.
The content of this article is not legal advice. You should consult a legal advisor on your GDPR responsibilities.
Consumers must knowingly and actively consent to being sent marketing emails from a company. This consent must be given on an opt-in basis by using unticked boxes.
If asked by a consumer (ie data subject), a company (ie data controller) must stop processing data for direct marketing purposes. They must also stop any processing that is based on consent if the consumer withdraws their consent.
Data breaches must be notified to the ICO within 72 hours, and may also need to be notified to individuals if the breach is serious.
Consumers have various individual rights – the right to see a copy of all personal data being processed about them, the right to have their data deleted in certain circumstances, and the right to have a copy of their data in a machine readable form.
Appropriate privacy controls and measures must be built into any system that processes personal data.
The fines for non-compliance with the GDPR are much higher than under existing data protection laws. They have increased from a maximum of £500,000 to a maximum of 4% of a group’s global annual turnover. This obviously increases the risks associated with non-compliance.
Certain businesses will be required to appoint a data protection officer.
0303 123 1113
For a statement on what ZPG is doing around GDPR click the button below