On 25th May 2018, the General Data Protection Regulation (“GDPR”) came into effect for all firms operating within Europe as well as firms outside of Europe which have data come in from, go through or end up in the EU. As part of this regulation, individuals will be afforded enhanced rights regarding their data. This includes:

  • Data minimisation – Ensuring firms acquire, keep and use only data that they need to operate. This also includes securing informed consent for the use of personal data.
  • The right to be forgotten – Under GDPR, individuals have extended control over their data. They can request to know what data firms hold on them and can ask for said data to be deleted.
  • HR and employee records – Unless a firm has a good reason to retain ex-employees’ data, it should be deleted.
  • Data safeguarding – Ensuring firms have adequate protection policies in place.

GDPR is wide reaching and affects firms and their procedures to a degree not seen in 20 years.