May deadline for data protection

Major changes in the rules governing how businesses manage personal data take effect this May. It is essential you are familiar with the new requirements.

The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will replace existing data protection rules. Although this is EU law, the government has said it will remain in force after Brexit.

The GDPR gives individuals – including customers and employees – greater control of their personal data held by businesses and other organisations. Businesses will need explicit consent to hold, and share, a person’s data in electronic format.

A new right to data portability will allow individuals to move, copy or transfer personal data from one IT environment to another. Your business must therefore be able to identify all of an individual’s data, and make it available in a structured, accessible form, such as CSV files.

Subject to various conditions, individuals will also have the right to: be informed how their data will be used; have their data corrected, or deleted; restrict or object to processing of their data; and object to automated decision making.

By 25 May, you need to know what data you are holding and for what purposes. In particular, organisations must:

  • Ensure that employees are fully informed about the uses being made of their personal data, and that HR staff have training in the new rules.
  • Delete all information about employees and customers they no longer need.
  • Only collect and process personal data they legitimately need for identified purposes.
  • Update their procedures for managing access requests by data subject. 

Don’t delay: the penalty for getting it wrong after 25 May could be up to €20 million or 4% of worldwide turnover – whichever is the higher.