In May 2018, the General Data Protection Regulation (GDPR) was introduced throughout the EU. The regulation aims to increase the rights that individuals have over organisations collecting their data and what they can do with that data.
Although GDPR is an EU regulation, any organisation that trades within the EU or works with organisations within the EU, must be GDPR compliant. GDPR aims to have one legislation for data protection making it easier for organisations to operate.
In order to comply with the new regulations, organisations have to ensure that all data collected is stored safely and that there are suitable procedures for handling the data. Documents such as a Data Storage Policies are required in order to show that the guidelines are being accurately implemented.
In order for data to be stored, an individual has to actively approve the organisation collecting and storing the data. Previously, a pre-ticked box would have been acceptable but not under the new GDPR guidelines. This includes forms such as privacy notices for photography at events and contact details. For those under the age of 16, permission is required from the parent or guardian.
Organisations must inform the individual about how their data will be used and if it will be passed on to third party organisations. This should encourage organisations to review their Data Policies to ensure that they are able to comply with this requirement.
Within GDPR, one of the main initiatives is that the individual has a right to know when their information has been hacked. This allows the individual to take the appropriate measures to secure the information as quickly as possible.
Data Controllers have ultimate control over the way in which an organisation processes the data. Most organisations will appoint a Data Controller though some may choose to appoint Joint Data Controllers.
Under GDPR, individuals have the right to ask that their information be deleted at any time. The organisation must remove all information stored about that individual, including any photos that the individual appears in. They also have a responsibility to contact any other organisations that the data may have been passed on to.
All organisations were expected to be GDPR compliant from May 25th, 2018. If an organisation is not GDPR compliant, there are fines in place ranging from 10 million euros to 4% of the annual turnover for the organisation.
British Airways are currently facing the largest GDPR related fine of £163 million for a data breach that happened last year. Marriott have also been fined £99.2 million for a data breach but are appealing the decision. Previously, the largest fine had been given to Google for 50 million euros. They are also appealing the fine and other companies are currently under investigation such as Facebook, YouTube, Netflix and Amazon.
If your organisation is not fully GDPR compliant, or if you have any questions on GDPR, you can contact the Impact Compliance team at: