General Data Protection Regulation (GDPR)

What is GDPR?

In May 2018 the EU brought in stronger rules surrounding data protection which all companies operating in the EU must follow, regardless of where they are based.

The rules are designed to empower the individual when it comes to their personal data, and to ensure that all companies follow the same set of rules when it comes to storing, processing, transporting and securing data.


What does that mean for me?

There are a number of changes which all businesses need to be aware of. The EUR-Lex website provides the complete legislation but here are some headlines which you might find of use:

  • You need to use clear language when explaining your privacy policies to consumers.
  • You must get affirmative consent from a user before using their data – you cannot simply assume consent.
  • You must inform users if you are transporting their data outside of the EU.
  • You must inform the user as to the purpose of any data collection you undertake.
  • You must inform a user if a decision you make is automated based on their data.
  • If you suffer a data breach, you must inform the user without delay.
  • Users have a number of rights, which you must respect:
    • The right to move their data.
    • The right to access and get a copy of their data.
    • The right to be forgotten

This list is not exhaustive, and you should consult the EU website for a full understanding of the legislation.


What if I don't comply?

The 28 data protection authorities have the power to issue warnings, suspend your data processing, or impose fines of up to 20 million Euros, or 4% of your turnover.


Where do I find out more?

The European Commission website has a selection of handy factsheets which guide both businesses and consumers through the changes.

There is also a really good interactive explainer, here.

In the UK, you can get more information and resources at the Information Commissioner's Office.


Want to know more about how we can help? Contact us today.