GDRP (General Data Protection Regulation) is a regulation that comes into effect on 25th May 2018 and affects all businesses that deal with residents of the European Union.
- Businesses that have offices or locations in the EU
- Businesses that sell products or services to locations in the EU
- Businesses that sell products or services to residents of the EU that live outside the EU
??Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company's global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
Once the legislation comes into effect, controllers of data must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
This regulation can be interpretation in many ways and if you are concerned, we recommend you get legal advice. Please note that this information is only based on our understanding of the regulation and should not be taken as legal advice.
The regulation requires that you get express consent from anyone you collect data from (eg. customers, email list subscribers, etc.) and that you also give them the ability to permanently delete all data on them at their request and also that once you no longer require their data (eg. they are no longer a customer, have closed an account, etc.) then you should permanently delete all data relating to them.
The regulation also requires that any data you have on existing EU residents should either be deleted or you must get consent from them to keep this data, even if you have previously got consent. For example, if you have an email mail list with EU residents on it that they have previously subscribed to, then you should request new consent from them in light of this new regulation.
This consent also extends to any third party systems you use to collect data such as email marketing systems, cookies, etc.
What should I do?
As mentioned earlier, if you do a lot of business with the EU then we recommend you get legal advice to ensure you have everything covered. However we have identified that the following should be done as a minimum:
3) Identify and contact any EU residents on your database and request written consent to keep their records. You must delete their records if you do not receive consent by 25th May 2018
4) Update any systems you have to ensure that wherever you collect data (such as email subscription forms, customer registration forms, etc) that you have tick boxes that the EU customer must tick to provide consent to be added to your database
5) Put in place procedures for deleting data if a client requests it or closes an account with you
If you need any assistance with implementing any of this on your websites, please contact us.