The EU’s General Data Protection Regulation signals a dramatic shakeup in the rules on how companies and other organisations manage individuals’ personal data. The new regulation will come into force on May 25th 2018, replacing the previous 1995 data protection directive. This switch from a directive to a regulation is important because it means the rules cannot be amended or interpreted by national authorities but must be applied in the same way right across the EU’s Single Market. However, the GDPR’s rules will reach well beyond the EU. Any organisation, anywhere in the world, that collects, uses or processes the personal data of anyone based within the EU will be subject to the new data regulations. The GDPR is therefore a European regulation that has global reach and impact: no one can afford to ignore it. Any organisation that collects and handles personal data is designated a “data controller” under GDPR.
The GDPR’s aim is to provide stronger protection for personal data that individuals share with organisations of all sorts and to give people more control over how their personal data is used and circulated, including a “right of erasure”, referred to by some as “the right to be forgotten”. Personal data is defined extremely broadly within the regulation: ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
No one can afford to not comply with the GDPR. It is a large piece of regulation that completely changes the way that personal data is protected and imposes multiple new obligations on organisations that collect and process personal data.
In this special report, done in conjunction with the BCR, we examine:
- The key obligations for data controllers under GDPR
- How are businesses responding to the challenge of complying with the GDPR?
- The essential steps to ensure compliance