The new General Data Protection Regulation (GDPR) will be coming into force across the EU on May 25 next. The Regulation makes significant and in some areas radical changes to current policies which have been based upon the existing EU Data Protection Directive.
The new Regulation transfers ownership of an individual’s personal data from the data holder to the individual concerned, the data subject. In future all companies and organisations are legally bound to respect not only the data but also the rights of the individual over all of his or her personal data. These rights will determine the manner and purposes for which personal data is collected and processed.
While non-compliance with GDPR may lead to significant fines by the Data Commissioner (up to 4% of annual turnover or €20 M) or legal cases in the courts, compliance with GDPR ought to be seen as not only essential for business reputation, for morale in the workplace and above all for demonstrating commitment to the highest levels of respect and concern for customers and clients.
The requirements of GDPR imply that businesses and organisations quickly need to make significant changes to their modus operandi so as to cover the following general areas:
- Interaction with clients and customers regarding the collection and processing of data and the different rights which data subjects have over their data.
- Limitations on data that can be collected or required from individuals.
- Implementation and consistent updating of security measures to protect this data.
- Preparation of policies and procedures to handle various communiques and activities with respect to personal data.
- New and stringent limitations on sending personal data of any resident of the EU outside of the EU for any form of processing.