Stronger rules on data protection from 25 May 2018 mean citizens have more
over their data and business benefits from a level playing field. One set of
rules for all companies operating in the EU, wherever they are based. Find
what this means for your SME.
What is personal data?
You have to abide by the rules.
Process data for other companies? This
is for you too.
Why change the rules?
It's about trust...
A lack of trust in old data protection rules held
back the digital economy and quite possibly your business.
of people feel they have complete control over the information they
And helping business boom...
One set of rules for all companies processing data in the EU
Doing business just got easier and fairer
New rules boost
confidence and in turn business.
What your company must do
Protect the rights of people giving you
Use plain language.
Tell them who
are when you request the
Say why you are
processing their data,
long it will be stored and
Consent is one of the legal
for processing data (together
with contract, legitimate
legal obligations, etc.).
If you rely on it, consent
be given by a clear affirmative
Let people access their data
give it to another company.
Inform people of data
if there is a serious risk to
Give people the ‘right to be
forgotten’. Erase their
data if they ask, but
if it doesn’t compromise
of expression or the ability
If you use profiling to
agreements like loans you
Inform your customers;
Make sure you have a person,
a machine, checking the
process if the
ends in a refusal;
Offer the applicant the
contest the decision;
Ensure an appropriate legal
basis to carry out such
Give people the right to opt
of direct marketing that
Use extra safeguards for
on health, race, sexual
religion and political beliefs.
Collecting data from children
16? Under the GDPR you must
parental consent. However, each
Member State can lower this
threshold to between 13 and 16
of age, so check the age limit.
Data transfer outside
Check availability of transfer
like model contract clauses when
there is no adequacy decision
the country of destination.
Do data protection by
Build data protection safeguards into your products and services
from the earliest stages of development.
Processing data for another company?
Make sure you have a watertight contract listing the
responsibilities of each party.
Check if you need a data
This is not always obligatory. It depends on the type and amount
data you collect, whether processing is your main business and
you do it on a large scale.
You process personal data to target advertising through search
engines based on people’s behaviour online.
You send your clients an advert once a year to promote your
local food business.
You are a GP and collect data on your patients’ health.
You process personal data on genetics and health for a hospital.
You should keep records of data
details of business
categories of data subjects and personal
organisations receiving the data
another country or organisation
Time limit for
of data, if possible
measures used when processing, if possible
Anticipate with impact
Impact assessments may be required for HIGH-RISK
Automatic, systematic processing and evaluation of personal information
Large-scale monitoring of a publicly accessible area (e.g. CCTV)
Large-scale processing of sensitive data like biometrics
The cost of non-compliance
Your local Data Protection Authority monitors compliance;
work is coordinated at EU-level.
The cost of falling foul of the rules can be high.
Suspension of data processing