The General Data Protection Regulation (GDPR), is a new set of data privacy laws that require
businesses to prioritize the protection and privacy of personal data belonging to European Union (EU) residents.

The GDPR came into force on the 25th of May 2018.

Basic things to know about the GDPR are the following:

1. Scope:

The GDPR applies to any and all companies processing the personal data of EU residents. The location of the company doing the processing is irrelevant.

Personal data is defined as anything that can identify an individual, be it directly or indirectly. A phone number, ID number , a photo, a facebook post, a CV are examples of personal data.

2. Consent:

If your business intends to use personal data in any way , then consent must be sought from the data subject be it your client, lead or supplier.

The consent must be simple, clear using plain language.

3. The Right To Be Forgotten:

Also known as the Right To Erasure, the Right To Be Forgotten is another key point in the new GDPR and enables a person to have their personal data expunged by a data controller due to irrelevance or a withdrawal of consent. Therefor businesses must be ready to comply with such requests.

4. Breach Notification:

This is also an important provision. In the event of a data breach, your business must notify the effected individuals. The notification must take place within 72 hours of first becoming aware. This obligation is applicable where the data in question hasn't been anonymized.

5. Privacy By Design:

The underlying idea here is that systems and platforms of your business must be built from the ground up with data protection in mind and not added on the way. Article 23 of the GDPR takes this concept even further by stating that data controllers must hold and process only the vital information needed to carry out their duties and access to such data should be limited to necessary personnel only.

6. The Right To Information:

Any data subject has the right to be informed about how and what extent his personal data will be used by your business. This right can be exercised at any stage. Therefore at the start of the relationship it is advisable to obtain the necessary consents.

7. Data Portability:

Every data subject (customer or client) has the right to receive their personal data from a data controller and transfer it to another provider should they so choose. According to the GDPR, your business must be capable of and willing to accommodate such a request.

Originally published 09 August 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.