The General Data Protection Regulation (“GDPR”) is set to come into force on the 25th May and has been created to regulate how businesses use data. GDPR will apply to businesses of any size and failure to comply may result in fines of up to 4% of annual global revenue or 20 million euros, whichever of the two is higher.
One of the key issues of GDPR compliance is obtaining consent from the data source. Any business that obtains personal information must inform the individual why they have obtained the data and what they propose to do with it. Unless a ‘legitimate interest’ exists for processing that particular data, express consent must be obtained from the individual.
In order to obtain express consent under GDPR businesses must review their internal policies and procedures. It is recommended that businesses carry out a comprehensive data audit to see what data they hold and what they use it for. Controllers of data must keep a record of how and when individuals gave consent and every individual has the right to withdraw their consent at any time.
Controllers and Processors of data based outside of the EU will still be subject to GDPR if they are processing data belonging to EU residents.
Now is the time to review policies and procedures. Businesses that follow the good practice recommendations in the Regulation will be well placed to comply with the GDPR regime.
If you need immediate help with anything GDPR contact Stephen Newman from Ramsdens Solicitors