On the 25th May 2018 new legal obligations will come into effect to replace Data Protection which has significant fines of up to 4% of turnover.
Controllers and processors of data need to comply with GDPR. A controller is someone who states how and why personal data is processed. This could be an organisation and they are responsible for ensuring the processor abides by the rules. A processor is a person actually processing the data.
Controllers need to ensure personal data is held lawfully, transparently, and for a specific purpose. If the purpose is fulfilled (end of a contract) and the data is no longer needed it should be deleted.
Lawfully means there must be explicit consent. So, if you want to market to someone they must give you permission. This must be actively gained by an action rather than passive acceptance like pre-ticked boxes or opt-outs on emails.
Under GDPR people can ask for access to the data you hold on them and for the data to be deleted. To help with data transfer organisations need to keep data in common formats, like CSV files.
Here is a useful link to the Information Commissioner’s Office click here.
Image from Flickr by JustGrimes.