The GDPR enhances existing data subject rights and also includes a new data subject right of erasure of personal information.
A new EU data protection framework has been adopted. The “General Data Protection Regulation” or “GDPR” will replace the current Directive and will come into force in EU Member States directly without requiring national legislation. The changes implemented by the GDPR are substantial. However, the provisions do not apply until 25 May 2018 to allow those in control of such data to prepare.
The GDPR imposes key changes including (to name only a few) an expansion of territorial scope, so that data controllers and processors located outside the EU offering goods/services to individuals in the EU will be regulated; the “right to be forgotten” to allow individuals to have their personal data deleted if there are no legitimate grounds for it being retained; and the obligation on data controllers to notify the relevant national data protection regulator (Information Commissioner’s Office in the UK) of any data breaches without undue delay.
The GDPR will have a significant impact on all organisations within the EU and also on those outside who offer goods and services into the EU including online. It is important that organisations understand the impact the GDPR will have on their activities and plan to implement the necessary changes. The Information Commissioner’s Office has published a guide outlining 12 steps to prepare for the arrival of the GDPR. Click here to read the guide.
If you have any queries or would like to discuss how we can help your organisation to prepare for the GDPR, please contact the Corporate and Business team.