The Right To Be Forgotten: A Guide to GDPR

Yes, “GDPR” is another acronym you need to remember. Why? Because forgetting it could be very expensive.

GDPR stands for General Data Protection Regulation and it’s set to replace existing data protection law in all EU member states from 25 May 2018. Given that the GDPR applies to all companies that process the data of individuals based in the EU, and failure to comply may cost you €20 million or more, it’s definitely worth familiarizing yourself with the essentials.

Five things you should know:

1. What is GDPR?

The GDPR is designed to unify a set of data protection rules that will apply across the EU. The GDPR retains and enhances existing protections while also introducing some important new requirements.

2. Does the GDPR apply to my company? 

The GDPR applies to the processing of personal data of people located in the European Union. This means even if your company is located outside the EU but processes the personal data of individuals based in the EU, it will be subject to the requirements of the GDPR.

3. What obligations does the GDPR place on our company?

GDPR requires entities that process personal data to demonstrate greater compliance, by, for example, asking companies to hold an inventory of that data and to create and maintain clear data protection notices and policies, demonstrating what it does with that personal data.

4. What does the GDPR do for the individual?

The GDPR also enhances the rights of individuals (whom it refers to as “data subjects”). The enhancements include:

• Portability of data – the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
• The right of erasure of data, aka ‘the right to be forgotten’.
• Access rights. Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15). These are similar to subject access rights under the existing legislation, currently in force until May 2018 (via the Data Protection Act 1988).

5. What are the consequences of getting it wrong?

Failure to comply with the GDPR obligations will result in the imposition of penalties up to 4% of annual worldwide turnover or €20 million, whichever is greater, and of course concomitant damage to your company’s reputation.

Careful observation and compliance with the GDPR, on the other hand, will augment your company’s reputation and, thus, its value.

The Clock is Ticking

With just over six months until the GDPR applies, it’s important for a company to map out what personal data it is processing in order to determine what levels of compliance are required.

When undertaking any type of data processing, consideration should be given to whether a data impact assessment needs to be undertaken, for example, where the processing is likely to result in a high risk to the rights and freedoms of the individuals involved.

Consideration should also be given to whether your company is required to appoint a data protection officer (“DPO”).

The next six months will go by quickly, so if you have any questions or would like more information, please don’t hesitate to contact us. We can help guide you through the process of creating a GDPR roadmap to ensure any necessary transition or introduction of policies and procedures are as seamless as possible.

Edward Sloan – Founding Partner London – [email protected]

THIS ARTICLE IS ONE OF A SERIES INTENDED TO DE-MYSTIFY COMMON LEGAL ISSUES FOR THE NON-LAWYER AND ENTREPRENEUR AUDIENCE – THEY ARE DESIGNED TO FOSTER DISCUSSION AND IS BY NO MEANS EXHAUSTIVE.THESE MATERIALS ARE FOR INFORMATIONAL PURPOSES ONLY. NOTHING HEREIN IS INTENDED NOR SHOULD BE REGARDED AS LEGAL ADVICE. THE DISTRIBUTION OF THIS ARTICLE TO ANY PERSON DOES NOT ESTABLISH AN ATTORNEY-CLIENT RELATIONSHIP WITH OUR FIRM. ROONEY NIMMO ASSUMES NO LIABILITY IN CONNECTION WITH THE USE OF THIS PUBLICATION. THIS BULLETIN IS CONSIDERED ATTORNEY ADVERTISING UNDER THE APPLICABLE RULES OF NEW YORK STATE. ROONEY NIMMO UK IS REGULATED BY THE LAW SOCIETY OF SCOTLAND AND ROONEY NIMMO US BY THE NEW YORK RULES OF PROFESSIONAL CONDUCT. ALL ATTORNEYS AND SOLICITORS LISTED IN THIS FIRM STIPULATE THEIR JURISDICTIONAL LIMITATIONS. ROONEY NIMMO IN THE USA IS A LAW FIRM REGISTERED AS ANEW YORK STATE PROFESSIONAL CORPORATION.