The General Data Protection Regulation – An introduction to GDPR

The General Data Protection Regulation is upon us and will completely change the way all businesses use personal data. To ensure you’re working towards compliance we’ve put together a series of blog posts which provide a useful overview of the key aspects.

Read our GDPR blog series:

  1. How the GDPR affects the personal data you hold
  2. Plan how you need to change ahead of GDPR implementation
  3. How GDPR gives rights to individuals and their data
  4. What is your lawful basis for processing data
  5. GDPR gives you a duty prevent and report data breaches

GDPR brings a new level of data protection

On 25th May 2018 The General Data Protection Regulation (GDPR) comes into force. GDPR is a new regulation designed to bring current data protection laws into the 21st century. In the modern world it’s become common place for people to regularly give permission for their personal information to be gathered, stored and used for a variety of reasons.

A key drive for GDPR is in relation to the many online services who provide free tools or apps in exchange for being able to gather their user’s personal data.  The dangers of individuals granting permission on a vast scale are obvious.

In the UK GDPR will replace the Data Protection Act 1998 and will give people control of how any organisation uses their data. It will also introduce fines for businesses who fail to comply with GDPR rules and ensure data protection laws are the same across the EU.

Even though GDPR is officially an EU law, it will be implemented in a post Brexit UK. The government has already introduced a new Data Protection Bill (governed by the ICO) which aims to carry over much of the GDPR law after Brexit. In short, the fact the UK is leaving the EU does not mean businesses can ignore it. You’ll also be wrong in thinking that GDPR only affects big businesses, if you store any kind of personal data you need to take steps to comply.

A business that is complying with current data protection laws will see many of their processes remain valid, however there will be changes and enhancements to make.

What will GDPR compliance look like?

Many businesses gather personal information for a host of reasons, including from customers, prospects, members or service users. Previously the way this information has been gathered, stored and used has come under little scrutiny, but not for much longer. The GDPR brings about legislative change that asserts that data belongs not to business, but to the individual. The new regulation aims to give people greater control over the collection and use of their personal data.

Under the rules of GDPR organisations will have to prove that personal data was gathered legally and have taken steps to ensure it is not misused. Individuals will have the right to ask you where you got it from and instruct you to delete it should they wish. Staff may also need to be trained to ensure they handle data appropriately and document how they’ve done so.

There isn’t a one approach fits all model, it’s down to businesses to take responsibility and determine what needs to happen to achieve compliance.