Taking control of personal data under GDPR

Taking control of personal data under GDPR

Getting a business ready for GDPR

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018.  If your business holds and decides how to use the personal data of an individual, it is a “data controller”.  You must make clear, to a greater extent than under the existing rules, what the data is to be used for. If the data is shared or transferred to someone else (eg if you use the Cloud or send payroll information to a payroll provider), you should notify the individual and possibly get the individual’s consent.  If you have already obtained consent, that consent may need to be updated before the new legislation comes into force, so it is clear to the individual what different uses you may make of the data and who you may share the data with.  Any consent you obtained before, on any basis that does not comply with new rules (which include a positive opt-in and detailed information about use and transfer of data) will become invalid.

Apart from the need to renew or update consent you will also need to be able to keep a record of what consents have been given, for what purposes, what data you hold and where it came from.  If you share or transfer personal data you must check that that other person complies with the new rules since the data controller is always liable for any breach of GDPR.

Getting consent under GDPR may not be all you need.  If you are using data for electronic marketing purposes, you will also need to look at the Privacy and Electronic Communication Regulations which contain separate rules about electronic marketing and consent.

If you are a business which holds or uses personal data you should get advice about GDPR before time runs out. Speak to our specialist solicitor Hugh Middlemass on 0113 320 5000.