On May 25th, 2018 the European Union’s General Data Protection Regulation came into force, marking a momentous shift in Data Protection legislation worldwide. GDPR not only regulates how data is handled within the EU, it also extends protection beyond the borders of Europe to protect EU citizens whose personal data is transferred outside the region.
Therefore, any business, regardless of location, doing business within the EU must be compliant or else face strong penalties.
What personal data does GDPR cover?
Key elements of GDPR include the right for EU citizens to request which personal data of theirs is being held, to request deletion of said data and a “Right to be Forgotten”.
Your organisation must, therefore, be fully transparent as to the types of personal data collected, provide valid reasons as to why it is being collected as well as guidance on how to view and, if desired, delete said data, in an easy-to-understand privacy policy.
GDPR defines personal data as any piece of information which can be used to identify an individual – such as one’s name, address, email address, phone number, national ID number, age, sex, race, medical data, financial data or geolocation data – to give just a few examples.
Therefore, in order to collect personal data from an individual and process it, your organisation must have a privacy policy, a privacy notice and a lawful basis for processing. Where the organisation relies on consent as a lawful basis for processing, a positive step must be taken by the individual in order to express consent. This means, for example, that automatic “opt-ins”, such as those traditionally used for collecting email addresses, are no longer permitted.
In short, GDPR guarantees each individual the right to be the masters of their own data and any organisation who is unable to fulfil their commitments in this regard risks heavy fines.
Will GDPR still matter after Brexit?
Yes. Remember that GDPR affects all businesses and organisations doing business with, or operating within, any or all EU member states. Britain leaving the EU will not change this fact.
In fact, many of the first casualties, punished for lack of compliance, were large multinationals, most notably Google, who was fined €50 million in January 2019, by CNIL, the French data protection agency, “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
Currently GDPR laws exist in Gibraltar and are supplemented by the the Data Protection Act 2004 , forming a solid, working foundation for continued post-Brexit GDPR harmonisation.
Sustained compliance with GDPR principals is therefore of continual importance, particularly for multinationals and other organisations who operate across borders.
GDPR lawyers in Gibraltar
From humble beginnings 80 years ago, Hassans has grown to become the largest law firm in Gibraltar. Trusted by generations of Gibraltarians, while also growing its reputation globally, Hassans is consistently Top-Ranked by Chambers Global and rated as a Leading Firm by the Legal 500. Our team of Data Protection lawyers, led by Partner Michael Nahon, has over 15 years’ data protection experience, and advises some of the world’s largest brands including luxury carmaker Porsche and online gaming companies like GVC and 888, on data protection matters.
Hassans also has considerable experience representing client interests with the Gibraltar Regulatory Authority in the event of regulatory action becoming necessary.
If you are unsure as to your specific commitments regarding GDPR and/or related data matters, or require advice/assistance on issues including implementation, administration and training, contact Hassans today.