On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect in the UK.
If your organisation processes personal data and has a base in the EU, the GDPR will apply to you. It also applies to businesses based outside the EU that process the personal data of people in the EU.
Definition of personal data
Under GDPR the definition is broad, covering any data that directly or indirectly identifies a living person. Email addresses, extension numbers, IP addresses and identification numbers can all amount to personal data.
Controllers and processors
The GDPR applies to data controllers and data processors and sets out their obligations when processing personal data. Hefty fines can be imposed if your organisation fails to comply with its obligations.
Definition of processing
Under the GDPR the definition of processing is broad. You will process personal data if, for example, you collect, store, use or disclose personal data.
Rights of individuals
The GDPR clarifies and extends the rights of individuals and introduces new rights. For example, the right of erasure means that in certain circumstances your organisation will have to delete personal data.
What happens if there’s a data breach?
If you suffer a data breach, you may have to report it to the ICO and affected individuals within 72 hours. It is 72 clock hours, not business hours, so you should have a plan for dealing with this requirement.
The regulator can impose severe monetary penalties for non-compliance with the GDPR. Depending on what you have done wrong, fines can be up to 4% of your annual worldwide turnover or EUR 20 million, whichever is greater.
Individuals may be able to bring an action against your organisation in the civil courts if your organisation has failed to comply with the GDPR.
The misuse of personal data can be a criminal offence and can result in criminal convictions.