Changes in data protection laws – don’t get caught out

Are you aware of the dramatic changes being introduced to data protection laws? Have you done anything about it? The consequences of non-compliance are potentially extremely serious. This is the first of a three-part series setting out the basics of the impacts of the General Data Protection Regulation (GDPR) on businesses.

Read on to find out why you need to start looking at how you collect, process and store data now.

What is the GDPR?

The GDPR is an EU regulation which aims to strengthen data protection for individuals within the EU. It was adopted in April 2016 and comes into force on 25 May 2018, so there is a scant 15 months before your business needs to be compliant with all the changes.

The new regulation is being introduced to:

• harmonise the current data protection laws currently in place across all EU member states
• bring the law into the 21^st

Existing UK legislation, the Data Protection Act, dates from 1998 and the EU’s Data Protection Directive on which it is based was introduced as long ago as 1995. With the massive increase in data collection, digital technology and international information sharing, this new regulation is needed to give people extra protection that their data is being used fairly.

Regulation v. directive

There is a significant difference between an EU regulation and a directive. A directive is binding, but usually requires individual states to change their laws in order to implement it. Hence, we have the Data Protection Act and other EU states each have their own similar law. These disparate legal entities make dealing across borders in data disputes a minefield. A regulation provides a solution as it is directly applicable to all EU member states and is immediately enforceable.

What it covers

GDPR will affect everyone and it could have a big impact on any company in the world that deals with the personal data of EU citizens.  Personal data is any information – private or professional – relating to an individual. This includes names, photos, email addresses, bank details, social media posts, medical information, work performance, tax number, username, password, computer IP addresses and a host of other information which could directly or indirectly identify someone.

While the principles of the Data Protection Act still apply, there are some substantial additions and alterations which you need to be aware of and apply to the volumes of personal information your company holds on employees, customers, suppliers.

Part two of our GDPR series outlining the main changes will be published here next week, however if you wish to know more now, download CJAM’s GDPR Q&A document.