The General Data Protection Regulation (GDPR) is the new data protection standard with direct applicability to all organisations within the EU (or providing goods or services to those in the EU).
Since the Data Protection Act was passed in 1998 we’ve seen an explosion of internet activity, online shopping, social media, smartphones – and a vast change to how personal data flows within and between organisations worldwide. In response the GDPR significantly enhances individuals’ rights and updates data protection law to better suit modern technological life.
To meet these changes the GDPR addresses how data processing practices must now be handled, with consistent rules for the EU and beyond.
All organisations must now demonstrate that they respect the importance of individuals’ personal data, and process it in a manner that is:
- Lawful, fair and transparent
- For specified, explicit, legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept for no longer than necessary
Many requirements are similar, but there is much about the GDPR that is new, and all organisations will need to adapt their processes to demonstrate compliance. These include:
- Changes to how and when organisations will need to get consent for processing
- Explicit rules around processing of children’s data
- New responsibilities to ensure personal data is kept for no longer than necessary
- New conditions and legal bases for processing data without consent
- Rules about appointing Data Protection Officers, keeping activity records and other responsibilities
- New requirements for demonstrating accountability, security and risk assessment
- Division of liabilities for data controllers and processors
We help our clients understand how the GDPR will affect them specifically and work closely with them to make the initial changes and bring them up to speed with the legislation.
We provide longer-term support with internal monitoring, breach management, ongoing training and troubleshooting.