GDPR stands for General Data Protection Regulation. It applies to both data controllers and data processors. Simply put, controllers decide how and why data should be processed, and processors act on the controller’s behalf. The GDPR will apply to all organisations operating within the EU, as well as those outside it that offer goods or services to those inside. It has been confirmed that Brexit will have no impact on the commencement of the GDPR.
The GDPR, as the DPA, applies to the processing of personal data about a living person. It covers the processing of personal data, including all automated and manual processing of that data. The existing principles of data protection stand and have been built on: you need to think about the information your business needs, how you store it (and how long for), and who is allowed access to it. You also need to consider how the data subject might access it, and their rights to see and influence what you keep.
Both controllers and processors could find themselves in breach of the regulation and there is an obligation on both parties to ensure compliance. Processors have greater obligations under the GDPR than under the DPA, so it’s essential that your whole team understands the importance of information security. Non-compliance could result in significant fines.
A key thing your business needs to consider is what your lawful basis for processing personal data is – and therefore what rights individuals have to the data you collect, hold and use. For many businesses, as opposed to public authorities for example, consent is a necessary part of data processing. The GDPR makes a positive opt-in essential before you process data, and it must also be obvious how a person withdraws their consent for you to process their data, even if it’s as ‘simple’ as having you delete their email address from your mailing list.