I have a question!

Add your details here and we'll be sure to respond as soon as we can.

Performance insights

Find out more about what's going on here at Performance Leads with our regularly updated blog.

Reset

GDPR Basics

November 29, 2018

GDPR is a hot topic at the moment as it is set to revolutionise and homogenise data protection laws in the EU. The General Data Protection Regulations come into force on May 25 2018 and will replace the Data Protection Act in the UK. It is the biggest change in data protection legislation for over 25 years and is set to give individuals back control over their personal data.

Performance Leads has always taken data protection obligations seriously and will continue to do so under the new European legal framework surrounding the General Data Protection Regulation and ePrivacy Regulation.

Why Was GDPR Created?

There are two key reasons for the overhaul of the existing legislation:

The EU would like citizens to have more control of their own personal data.
The EU would like businesses to have a harmonised legal framework to work within.
At the moment there are a number of different regulations across the EU which can be confusing and lead to inefficiencies and a barrier to trade.

Who is in Scope?

The legislation itself reaches beyond EU borders to any country handling or contracting with another organisation to process the personal data of EU citizens.

Processor – The party processing the data
Controller – The party who defines how and why the personal data is

Key Regulatory Points

Personal data must be processed lawfully and lawful has a number of meanings. For example the data subject provides consent, compliance with a legal obligation, or it is essential for the life of the subject.
Consent for data to be stored must be active – i.e. the box must be ticked. Controllers must also record how and when the subject provided their consent.
Subjects have the right to access their personal data at ‘reasonable intervals’. What is ‘reasonable’ is based upon the type of data being held and how frequently it changes. The controller must deal with all requests within one month.
The right to be forgotten’ or the ‘right to erasure’ gives individuals the right, in certain circumstances, to have their personal data deleted.

Data Breach

In the event of a data breach, the organisation in question must notify the data protection authority within 72 hours of first becoming aware of the incident. This is an initial alert and it is expected that a full investigation and impact assessment will be undertaken thereafter. There are significant penalties for breach of the regulations – the greater of 4% of the organisation’s global annual turnover or 20 million Euros.

In Summary

Performance Leads has always taken data protection obligations seriously and will continue to do so under the new European legal framework surrounding the General Data Protection Regulation and ePrivacy Regulation. As an organisation we will be producing a series of blogs and checklists on GDPR with the goal of assisting our clients with their obligations under the new regulations.