The barrage of e-mails many have experienced concerning the EU’s new General Data Protection Regulation (GDPR) should come to an end as the law’s entry came into force on Friday, but the effects of the wide-reaching legislation will now begin to be felt.

The GDPR aims to overhaul the EU’s 20-year old data protection laws, giving users more power to control what companies do with their personal data and sets new rules as to how companies can collect, process and use this data.

Although the law has been some four years in the making, its implementation comes hot on the heels of the Cambridge Analytica scandal surrounding how data was harvested from Facebook without users’ consent, and increased concern over the safety of our personal data.

Arguably, the biggest change brought in by the GDPR in this regard is that, for the first time, EU data protection law will apply to companies established anywhere in the world that process personal data of individuals in the EU.

But the law also grants several new rights to individuals, including the right to access a copy of the personal data a company holds on them free of charge, and the so-called right to be forgotten, allowing them to have a company erase their data, balanced out against the public interest of the data being available.

Moreover, individuals now have the right to be notified when there has been a data breach, and the right to easily have their data transferred to a new service provider.

Pertinently to the many e-mails sent out by companies in recent weeks, the notion of consent for your data to be used has also been changed: companies can no longer bury a request for consent in lengthy terms and conditions, but must provide it in clear and plain language.

Consent now requires affirmative action, so silence or pre-ticked boxes are no longer enough, and individuals must also be able to withdraw their consent as easily as they have given it.

Enforcement of the new law will be in the hands of individual Member States, but is backed up by heavy penalties: up to €20 million or four per cent of a company’s global turnover.

GDPR at a glance

▪ Law will also apply to non-EU companies that process data within the EU.

▪ Consent must be clear and affirmative and cannot be derived from inaction or pre-ticked boxes. Consent must also be easily withdrawn.

▪ Companies must notify of data breaches within 72 hours.

▪ Right to easily access your personal data, have it deleted, or transfer it to a new service provider.

▪ Companies must provide information to users on the data they are collecting in clear and plain language.

▪ Fines of up to €20 million or four per cent of global turnover can be imposed.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.