5 MINS READ
‘More than 40% of UK marketers say their business is NOT READY for the changes in the forthcoming General Data Protection Regulation.’
Source: DMA Oct 2017
GDPR is underpinned by six principles. In summary, personal data should be:
Any information relating to an identified or identifiable living person (‘data subject’). In practice this could cover names, email addresses, phone numbers, date of birth, bank details, address, etc. This can be:
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
There are six legal grounds through which you can process personal data:
(double opt in and be able to prove they did double opt in)
Any data breaches need to be reported to the ICO within 72 hours of learning of the breach.
An individual has a right to ask what information is held about them and for what purpose. These need to be processed quickly and free of charge.
If an organisation breaches the GDPR, fines could reach €20 million or up to 4% of global annual turnover of the previous year, whichever is highest.
However, the GDPR allows for warnings, reprimands or temporary suspensions of data processing. It’s unlikely a maximum fine will apply in every case.
But consumers can claim compensation from data controllers or processors who infringe the regulation for damage they have suffered.
The GDPR outlines the criteria that will be applied when the ICO is considering a sanction:
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate and remove those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.