The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
A full detailed explaination can be read on the ICO website.
This is a good guide from Wired:
IF YOU ARE IN ANY DOUBT, PLEASE CONTACT YOUR LEGAL ADVISORS AS WE ARE NOT QUALIFIED TO GIVE ANY LEGAL ADVICE.
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.
While the overwhelming majority of IT security professionals are aware of GDPR, just under half of them are preparing for its arrival, according to a snap survey of 170 cyber security staff by Imperva.
Just 43% are assessing GDPR's impact on their company and changing their practices to stay in step with data protection legislation, Imperva found. While the respondents were mostly US-based, they would still be hit by GDPR if they handle - or contract another firm to handle - EU citizens' personal data.
Despite this, nearly a third said they are not preparing for the incoming legislation, and 28% said they were ignorant of any preparations their company might be doing.
Individuals also have the right to demand that their data is deleted if it's no longer necessary to the purpose for which it was collected. This is known as the 'right to be forgotten'. Under this rule, they can also demand that their data is erased if they've withdrawn their consent for their data to be collected, or object to the way it is being processed.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
Yes, the UK is leaving the EU - but the UK government has not yet triggered Article 50, which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer). This means the GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply for the time being.
Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity. This includes the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.
If you are wondering how GDPR affects media publishers and their ad tech partners, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU residents. Therefore, every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And the global nature of the internet means any business with EU website traffic or app users need to comply as well.
Clearly, to reduce exposure to GDPR violations enterprises should make some changes to digital operations. At a minimum, execute the following for all your digital properties—websites (desktop & mobile) and mobile apps:
←← back to news items