Getting to know the GDPR

Next year will see one of the biggest shake-ups in Europe’s data protection rules for nearly two decades, and will change the way that organisations in the public and private sectors handle personal customer information, including those operating in the automotive industry. It will come in the form of the General Data Protection Regulation (GDPR) and enters into force in all EU member states from 25 May 2018. To be applied by the Information Commissioner’s Office (ICO), it will replace the existing 1995 Data Protection Directive on which UK law is currently based. With Brexit on the horizon, the UK is implementing a new Data Protection Bill which will include all the provisions of the GDPR, albeit there will be some small changes to the law in this country.

 

What are the primary objectives of the legislation?

 

The GDPR has been designed to give consumers greater rights over their personal information, and to put more onus on businesses as to how they protect this data. This can be anything from a name, a photo, an email address, bank details, social networking posts, a person’s medical history or even a computer’s IP address.

 

Who does the law apply to within an organisation?

 

It applies to ‘controllers’ and ‘processors’ of data. A data controller states how and why personal information is processed, while a processor is the party doing the actual processing of the data. The controller can be any organisation, spanning a charity to government. A processor could be an IT firm doing the actual data processing.

 

Will consumers have more power to see the information that’s held about them?

 

The public will have a lot more power to access information held by a company. At the moment, a business or public body can charge £10 for this request, but under the GDPR, this fee will be eliminated and any personal data must be made available within a month.

 

Furthermore, the new regulation gives people the chance to get their data erased where it is no longer necessary for the purpose it was collected, if consent is withdrawn, if there’s no legitimate interest, and if it was unlawfully processed. People will also have the right to know if their personal data has fallen into the wrong hands (i.e. hackers).

 

What happens if a business does not comply with the legislation?

 

Smaller breaches of the GDPR could result in fines of up to €10 million or 2% of a company’s worldwide turnover (depending on which is greater). This can go up to €20 million or to 4% of a business’ global turnover (whichever is higher) for those breaches which are considered to be more serious.

 

How can a business prepare for the arrival of the new legislation?

 

The Motor Ombudsman has endorsed the GDPR Readiness Programme of Radius Law, the specialist motor law firm, to help ensure businesses are fully compliant before the arrival of the new legislation on 25 May. For more information, click here.

 

The General Data Protection Regulation is also known as the EU 2016/679 Regulation.

 

ENDS