The General Data Protection Regulation (GDPR) comes into force in just under a year, and is viewed as 'the most important change in data privacy regulation in 20 years' (www.eugdpr.org). UK companies will still need to comply with the regulation despite the current UK government's intention to exit the EU. The GDPR is not a directive, which means governments do not need to pass legislation for it. It will therefore automatically become law on 25 May 2018.
What is the GDPR?
The GDPR aims to increase protection for all EU citizens with regards to the personal (which includes employment) data held about them by organisations – regardless of where in the world these companies are based. Under the terms of the GDPR, organisations breaching its requirements could incur heavy fines of 4% annual turnover or €20m, whichever is greater.
Why is the GDPR being enforced?
The data landscape and information sharing environment has changed substantially in the last 20 years. The upsurge in the digital economy and growth of social media, for example, means individuals' information needs greater legislative protection. Data is increasingly vulnerable to online hacking, breaches and appropriation of personal information for identity and financial theft.
The GDPR also aims to unify and simplify consent procedures for individuals giving permission for their personal data to be used. Consent now needs to be clearly worded, and it must be as easy for individuals to refuse consent for their data to be used as it is to allow it.