From 25 May 2018 businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
Risk that businesses could face fines of up to 4% of global revenues or €20 million (whichever is highest)
What does it mean for me?
Do you collect names, ID numbers, IP addresses, cookie data, health data, genetic data, biometric data, racial or ethnic data, information on political opinions and sexual orientation or EU citizens ? This can be current employee's, previous employee's , existing customers , furture customers and previous customers.
If so the new rules means that
EU citizens have the right to access, so companies have to make sure they detail what personal data is being processed; the right to be forgotten and erased, which requires companies to delete personal data upon request; and also, the right to data portability, so the citizens are enabled to transfer personal data between companies.
The UK has launched an advisory Website for companies
Data might not have to be erased if any of the following apply:
- The “right of freedom and expression”
- The need to adhere to legal compliance, e.g. a bank keeping data for 7 years.
- Reasons of public interest in the area of public health
- Scientific, historical research or public interest archiving purposes
- For supporting legal claims, e.g. PPI offerings.
Out of Scope
- Non-electronic documents which are not to be filed, e.g. a random piece of microfiche, or a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.
- Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup or a piece of microfiche.