General Data Protection Regulations – what has this to do with you?? On 25th May 2018 the biggest change to data regulation in the EU comes into force. This affects you as an individual and also your business if you collect people’s names, addresses or other personal information. It will affect your golf club, your GAA club, your Resident’s Association and your walking group. Yes – it will affect you!GDPR

The General Data Protection Regulation (GDPR) from 25th May 2018 will replace current data protection laws in the European Union.

The new regulation will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.

Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

The GDPR is based on the core principles of data protection which exist under the current law. These principles require organisations and businesses to:
• collect no more data than is necessary from an individual for the purpose for which it will be used;
• obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
• retain the data for no longer than is necessary for that specified purpose;
• to keep data safe and secure; and
• provide an individual with a copy of his or her personal data if they request it.

Under the GDPR individuals have the significantly strengthened rights to:
• obtain details about how their data is processed by an organisation or business;
• obtain copies of personal data that an organisation holds on them;
• have incorrect or incomplete data corrected;
• have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
• obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
• object to the processing of their data by an organisation in certain circumstances;
• not to be subject to (with some exceptions) automated decision making, including profiling.

The rules for dealing with subject access requests (i.e. a request for your personal information held by the business) will change under the GDPR. In most cases, companies will not be able to charge for processing an access request, unless the company can demonstrate that the cost will be excessive.

There are also special requirements for Processing Children’s Data.

This move is being overseen by the Data Protection Commissioner and more information can be obtained at http://gdprandyou.ie/.