The legislation is designed to bring data protection procedures up to date and to create a common standard across Europe. It is currently intended that the provisions of GDPR will be retained in UK legislation after Brexit through a Data Protection Bill. Whilst much of the existing regime will be retained under GDPR, there are also some changes.
The most noticeable one for consumers will be changes into how their consent is obtained for marketing activities. Under GDPR consumers must opt in to communications giving clear informed consent for specific purposes. If further marketing activities are proposed above and beyond the scope of consent previously provided, then the consent must be sought for each new purpose.
There is also the option to opt out of communications at any time without providing a reason. In some cases, this may mean that businesses may need to re-seek the consent of their existing subscribers if the consent already obtained is not sufficient for the marketing services being undertaken.
Individuals also have the right to request copies of their personal data being held by organisations, the right to see it within a month of the request and the right to have the data erased or corrected if incorrect or misleading. These restrictions apply not only to agreements with the organisation but also to third parties, such as suppliers or delivery companies, to whom the data is transferred.
Businesses and organisations will also be subject to tougher guidelines and there are strict requirements on how business must store and process the data, such as the requirement to keep secure data on a secure storage facility and to promptly report and investigate any breaches. To deter organisations from defaulting on their obligations, the penalties for non-compliance will be the greater of 4% of worldwide turnover or 20 million Euros. The GDPR will be regulated in the UK by the existing data protection regulator, currently the Information Commissioners Office.
Here at Barrett and Co Solicitors LLP, we will be complying with GDPR.