GDPR: What is it and why does it matter?

On 25th May 2018 the EU General Data Protection Regulation (GDPR) came into force. GDPR will replace the UK's existing Data Protection Act, first drawn up in 1984, and is set to be the largest piece of data regulation the European Union has ever passed.

GDPR will apply to all organisations that are either based in or operate from the EU or those who are located outside of the EU but processes the personal data of EU citizens. This means these regulations will apply to any UK organisation due to Brexit and Australian organisations in this situation.

What is it?

If you don’t already know, GDPR seeks to protect personal information of EU citizens by regulating how this data is stored, managed and processed.

Personal data relates to any information that a person can be identified by. This includes a wide range of variables such as; names, contact information, a person’s location, bank details, medical information, images and many more. Under GDPR, the definition of personal data also includes online identifiers such as IP addresses and cookies.

Under GDPR, consumers are going to be given even greater power and control over this data. They will have to consent to the use of this data and have the ability to request to see the data that any organisation holds on them. Consumers will also also get a "right to erasure" under GDPR, allowing them to request to have information about them removed.

For businesses, GDPR will mean improving security and protection levels over the data that they possess. Organisations will also have to be more upfront when collecting this personal data. Gatherers will need to make sure that consent is explicitly given and disclose information on the purpose of the data being collected.

Why is GDPR important?

GDPR is a critical issue for businesses of all sizes as it will significantly affect how they gather, store and manage their data. If you are an organisation that wants to collect data from EU citizens for business or research purposes, then GDPR applies to you.

Both 'controllers' and 'processors' of data will need to comply with the GDPR. A data controller determines the purposes for which personal data is being processed. Whereas, a data processor is any party that processes the data on behalf of the data controller. Failure to comply with GDPR or adequately safeguard consumer data will result in a fine, which can be up to €20m, or 4% of a firm’s annual turnover, whichever is greater.

What do businesses need to do?

As we move closer to the implementation of GDPR, it is essential that all organisations are prepared for this increased control over how data is used.

Therefore, it is a good idea to start getting your business ready to be able to demonstrate compliance with GDPR by implementing necessary data protection frameworks. PretaForm , which is an out of the box GDPR "made easy" low-code platform, is designed for creating dynamic eForms, data capture, esurveys and automated worklow, all of which comply with the UK GDS design and accessibility principles.