If you’ve ever been driven half mad by incessant emails and phone calls from businesses you don’t know and don’t want to know, we have some good news and some bad news. Good: it’s going to get a lot harder for them in spring. Bad: there’s compliance stuff for you.
The General Data Protection Regulation (GDPR) comes into force across the EU, including the UK, on May 25, with the aim of giving control of personal data back to individuals. It’s also supposed to simplify life for international businesses handling the data of EU residents, albeit with the threat of eye-watering penalties.
It’s going to be easier for people to bring private claims against companies when their data privacy has been infringed, and people who have suffered as a result of an infringement will be able to sue for compensation.
All the legalese can seem impenetrable, so here are some key terms and concepts to get you going:
Personal data — anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address
Data controller — an organisation or individual that collects data. If this is you, you will need to register as a data controller with the ICO (UK) or the DPC (Ireland)
Data processor — any person (other than an employee of the data controller) who processes the data on behalf of the data controller. This could be a third-party company such as a cloud storage company used for backup of patient records. Processors are now required to maintain records and have more liability if they are responsible for a breach
Automated decision making and profiling — people have the right to question and fight decisions affecting them that were made with algorithms
The last batch of law in this area dates back to the 1990s, long before internet to the masses sparked the data revolution, so the GDPR is being pitched as an urgent update in a world where people give away reams of personal data every day, knowingly and unknowingly, via their phones.
Don’t panic, some parts of the GDPR are still being drafted, and there’s plenty of time to get your business ready. The GDPR covers a lot so we’d advise first reading 12 Steps To Take Now by the ICO if you’re in the UK or The GDPR And You by the DPC if you’re in Ireland.
If you need legal advice please do get in touch.
“It’s going to be easier for people to bring private claims against companies when their data privacy has been infringed”
Sunita Jordan, legal advisor