GDPR stands for General Data Protection Regulation and is a change in the law that companies will need to comply with.  It will apply in the UK from 25 May 2018.  It’s an evolution of the existing Data Protection Regulations.

It applies to any business that holds data about individuals.  If you are not already registered with the Information Commissioner’s Office (ICO) you can check if you need to at their website here.

If you are registered, the ICO has a useful checklist on how to comply with GDPR at this link and here’s a summary:

  • Review information you hold

  • Communicate privacy information

  • Document individual’s rights and subject access requests

  • Review how you obtain consent including how you get parental consent for childrens’ data

  • Have procedures to detect breaches

  • Appoint a Data Protection Officer

Computer Weekly published a useful guide here about the changes too:

  • The GDPR applies to companies globally (that process personal data about EU citizens).

  • The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.

  • The GDPR tightens the rules for obtaining valid consent to using personal information.

  • The GDPR makes the appointment of a role called Data Protection Officer mandatory for certain organisations.

  • The GDPR introduces mandatory reviews called privacy impact assessments to determine how personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected and how it will be shared.

  • The GDPR harmonises the various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data.

  • The GDPR introduces the right to be forgotten.

  • The GDPR extends liability to all organisations that touch personal data.

  • The GDPR requires organisations design their processes so privacy is the default.

  • The GDPR allows any European data protection authority to take action against organisations, regardless of where in the world the company is based.