See our latest news articles
Any organisation that controls or processes data will need to abide by the GDPR. These are key terms under GDPR, so it’s worth understanding the difference:
So, the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. If you do everything in-house, your business is both a controller and a processor.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents. It’s the controller's responsibility to ensure their processor abides by data protection law; processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act due to strict guidelines.
In a nutshell, the GDPR means that your data handling processes have to abide by the following rules:
The most important point to take away from the new legislation is about consent. Previously, if you had information about someone you could use it to either contact them directly or send it to other organisations. Under the GDPR, you will now need to directly ask for their permission to use their data, which now includes not only contact details but also IP addresses, financial information, mental health or culture (such as religious practices).
When asking for consent, you must be very clear about how their information will be used and who will see it. Controllers must keep a record of how and when an individual gave consent, and individuals may withdraw their consent whenever they want.
If your current way of obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018. If you’re not GDPR compliant in time, you may be hit with some serious fines – significantly more than under the current rules – which could damage your income and your reputation amongst both clients and partners. You could also be faced with prosecution if you deliberately breach the Regulation.