Atta Legal Update: GDPR
As you will be aware the new General Data Protection Regulation comes into effect on 25 May. It covers data held anywhere in the world relating to EU citizens and therefore can cause issues for businesses based outside the EU as well as within it. It remains to be seen however how any enforcement action could be taken outside the EU itself since it is each individual government’s obligation to enforce the new rules. In the UK that is the role of the Information Commissioner, www.ico.org.uk where members can find a handy simple 12 step guide to the new rules.
The fundamental issues are to ensure that data is held for as short a period as necessary, is relevant, has the consent of the person concerned and that anyone, at any time can demand to see copies of all information held and demand that it be deleted or amended if so wished. The new Regulation carries with it a threat of fines of up to 20 Million Euro for breaches of the new law but this is really cloud cuckoo land, in reality a letter of warning is likely to be the outcome if a complaint is made, and very few complaints are made in any event. If there has never been a complaint about data in the past, there is no real reason to assume that situation will change in future.
The real change is the need for new Privacy Notices setting out what data you will hold, why you hold it, what purpose it will be used for, and how to have it changed or deleted. This Draft is intended to cover all eventualities but for those who do not use data to analyse bookings for example, simply remove the whole section. There should be a hyperlink for any website to the Privacy Notice and members should consider how they approach existing clients currently on their database.