The General Data Protection Regulation (GDPR) is the EU’s scheme to unify existing data protection laws within the European Union. It is designed to strengthen the protection of online personal data and will require all businesses handling EU residents’ data to delete personal information on request or when it is no longer required by the business or organisation. Heavy fines can be levied on non-compliant organisations.
This is the first significant change to data protection laws in the UK since the 1998 introduction of the data protection act and is likely to be fully ratified in 2015 and implemented a year later.
Impact on business
Businesses looking to process personal data will need to gain explicit consent for doing so and any data breaches will need to be disclosed to clients or users as soon as is possible. Additionally, the ‘right to be forgotten’ (as publicised in the press recently with several high profile cases involving Google) and the right to ‘port’ personal data between services will be included.
All firms will have to publish contact details for a Data Controller and be able to demonstrate that their business processes are built around maintaining privacy by default.
There is still some doubt as to whether General Data Protection Regulation will become a reality. However businesses that handle personal data should be taking steps to ensure they are ready and the reality is that regardless of whether GDPR does become ratified, the likelihood of data protections laws being tightened regardless is significant.