The General Data Protection Regulation (GDPR) sets the standards for processing personal data in the EU and has been incorporated into UK law by the introduction of the Data Protection Act 2018.
This data protection regime strengthens the rights of individuals, increases the enforcement powers of supervisory authorities (such as the Information Commissioner’s Office) and imposes new obligations on organisations which process personal data. If you collect, store or use personal data, the data protection regime affects you.
You need to be clear about what personal data you hold about people, how that data is being used and how long it will be retained. You also need a legal basis for processing that data. Be aware that personal data includes anything that could identify a person, so names, addresses and email addresses, as well as cookies, IP addresses and telephone numbers.
The penalty for a data breach under GDPR is up to €20 million or 4% of annual global turnover – whichever is higher.
Talk to us about:
- Bespoke employee privacy notices
- Employee handbook privacy policies
- Bespoke subject access request response procedure
- On-site training sessions for managers