As of 25 May 2018, the General Data Protection Regulation (GDPR) will reform data protection and privacy laws across Europe and beyond.

The new rules:

  • Create new responsibilities for organisations that collect, use or store information about people.
  • Give people new rights about how their data is collected, used and stored – including the right to have data corrected or deleted.

Six things you need to know...

  • European regulators will have the power to serve fines of up to 4% of a business' annual worldwide turnover of the preceding financial year
  • Where individuals demand to know what information is held on them, the data controllers will have less time to respond, and will not be allowed to charge
  • Where data is lost or stolen, the breaches will have to be reported to the regulator within 72 hours of discovery
  • Rights under the GDPR apply to EU citizens, regardless of where the company processing their data is based
  • Individuals will have the "right to be forgotten" – so that, in some cases, they can demand that their data is deleted
  • Jersey will implement its own local legislation commensurate with the GDPR

Six things you need to do...

  • Review your records management systems and processes, both electronic and paper-based, to ensure they are consciously designed to support the efficient discovery of information
  • Identify the legal bases you rely on to process data. If you rely on the data subject's consent, consider whether it complies with the GDPR and what changes you may need to make
  • Test your organisation's ability to quickly isolate data relating to a specific individual in the necessary time period provided under the GDPR
  • Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests
  • Identify a point of contact within the organisation that will deal with Subject Access Requests (SAR) and ensure that their contact details are easily available
  • Review and update your existing contracts and websites to make them GDPR compliant

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.