The General Data Protection Regulation was adopted by the European Parliament in April 2016 and comes into force on the 25th May 2018.
The current UK Data Protection Act 1998 sets out how your personal information can be used by companies, government, and organisations. GDPR changes how this personal data can be used and applies to both personal data and sensitive personal data. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. Companies covered by the GDPR will be more accountable for their handling of people's personal information, this means organisations need to implement vigorous data protection policies and possess relevant documents on how data is processed.
As well as putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals a more power to access the information that is held about them. One of the most talked about elements of the GDPR is the power for regulators to fine businesses that do not comply with it. GDPR states offences with serious consequences can have fines of up to €20 million or four percent of a company's global turnover (whichever is greater).
GDPR will have a varying impact on businesses and organisations, to help prepare for the start of GDPR, certain steps such as making senior business leaders aware of the regulation, determining which information is held, updating procedures around subject access requests, and what should happen in the event of a data breach must be implemented.