GDPR is an EU regulation to replace (and enhance) our Data Protection Law, and all other law on the subject of data and privacy throughout the EU.
Main General Principles
Need to make and keep records about the different types of data you hold about Persons. Need to obtain the permission of Persons to collect data about them and specify the purpose at the same time. Need to have systems to enable subject Persons to request data stored about them. Need to have systems to ‘forget’ data about a Person, if requested. Need to protect Personal data from risk of theft, or passing to others. Introduces large fines for failing to meet standard.
The ‘GOOD’ News:
There is derogation for companies with less than 250 employees…..
If that means you…..and it means most of us… What do you need to do to be on the right side of the law? Or rather, what action makes sense for a small company?
- Stick to previous Data Protection law regarding the use made of Personal data; - When you collect Personal data (for example from your web site) ask for their agreement (“Tick the box if you do not want to receive emails from us”) and explain what you use it for. E.g. mailing, sales planning, customer support; - Make sure the data is safe from hackers, internal theft, etc. Secure communications to and from your data, encrypt or anonymise data (especially names), have thorough systems to control access by passwords etc.
There are lots of ‘special’ rules regarding children, public records. ‘profiling’ and more. Less than about 5% of the EU regulation covers all of the above and more! In fact 2/3rds of the regulation is advice to the 28 EU members on how to implement the law.
If you would like a more detailed ‘summary’ you can get it from LBT