GDPR is concerned with the collection, storage and processing of personal data
The two sets of rules to be aware of are General Data Protection Regulation 2016 ("GDPR") and Privacy and Electronic Communications Regulations 2003 (“PECR”), electronic marketing communications.
It is for all people in EU member states, even if the company is not located there. GDPR comes into force May 25, 2018, and as a Regulation does not need member countries to make it law first (though each country will then add it to their own laws). It replaces the Data Protection Act 1998 with the General Data Protection Regulation.
Each country has its own authority, each company must register at one. If you have offices in multiple countries then choose one where your head office and the legal council is located. Otherwise, you will be accountable to each country.
In the UK the organisation is called ICO and their website contains the regulations and many other guides and 12 step programs.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
These come with the following levels of action by the ICO:
- Suspension of data processing
- Top level Fine €20 million or 4% of global annual turnover
What is Personal Private Data
- Online identifier
- Health information
- Cultural profile
What is Sensitive personal data
- the racial or ethnic origin
- political opinions
- religious beliefs
- whether a member of a trade union
- physical or mental health
- sexual history
- record of any offence