The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation intended to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation comes into force on the 25th May 2018.
In light of the UK’s impending Brexit, it is worth noting that this is likely to be one area of law which will remain unaffected by the UK’s departure, as any entity which trades in the European Union will be required to comply with GDPR.
The main changes introduced by the GDPR include:
- Consent to processing must now be given explicitly and affirmatively. This will likely remove the ability to rely on silence or inactivity (such as failing to tick a box) to prove consent to the processing of data. Consent may also be withdrawn at any time, and must not be used as a pre-condition for a contract for which data processing isn’t necessary;
- Data Processors (being those who are processing data on behalf of another entity) will now be subject to compliance requirements too; and
- Subject Access Requests must be complied within 1 month, instead of within 40 days.