If you are a business owner, you will no doubt have heard of the upcoming General Data Protection Regulation (GDPR) legislation that will come into effect on May 25th, 2018. The law will affect companies that collect data on citizens in European Union (EU) countries, including the UK.
What is GDPR?
The goal of GDPR is to set a new, improved standard for consumer rights regarding the data that companies collect and hold about them, and it will replace the outdated Data Protection Act 1998. It is the culmination of four years of effort to bring data protection firmly into the 21st century, a time where people regularly share their personal information with companies online.
The new regulation seeks to give people more control over how organisations use their data, and organisations that either do not comply or suffer data breaches can expect to receive hefty penalties. It will also help to ensure that there is a consistent data protection law across the EU.
Why is GDPR needed?
The biggest factor behind GDPR’s impending implementation is the desire to bring data protection law in line with how people’s data is actually being used. This is especially important for firms like Facebook, Twitter and Google who offer their services for free, as long as people submit their data to these companies. This has been in the spotlight recently because of the Cambridge Analytica scandal, where it has been alleged that at least 50 million Facebook profiles had their data illegally harvested to influence the 2016 US election. With the implementation of GDPR, the EU is looking to ensure that this type of thing does not happen again.
What types of privacy data will be protected?
- Basic identity information – name, address and ID numbers
- Web data – location, IP address, cookie data
- Health and genetic data
- Biometric data – fingerprints, samples, models
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which companies are affected by GDPR?
All companies that store or processes information about EU citizens will be affected by the new legislation, and this remains true even if they do not have a business presence within the EU. Despite the ‘Brexit’ vote in 2016, the UK still has to comply with GDPR, and the British government has drafted a comparable bill that will continue once the UK has left the EU.
How do I get consent under GDPR?
While data collection consent has previously been allowed under passive acceptance, in the form of pre-ticked boxes or opt-outs, this will no longer be the case from May 25th.
Once GDPR is effective, consent will have to be given in an active, affirmative action by the person who is submitting their data. Further to this, data controllers will have to keep a record of how and when the individual gave the consent, and the individual has the right to withdraw this consent whenever they want.