Across the European Union, new data protection legislation, due to come into force on May 25, 2018, aims to reshape the way organisations across the region approach data privacy.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive (DPD) 95/46/EC and was designed to harmonise data privacy laws across Europe. Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively.

Published in Close Brothers' quarterly Business Barometer, a global market insight survey showed that less than half of the 900 companies surveyed thought they understood the new and extended rights that customers have under GDPR when it comes to collecting and utilising personal information.

Neil Davies, ceo, Close Brothers Asset Finance, explains: "How it works is that companies must get prior consent from data subjects (opt in) and record that consent. What's more, the consent must relate specifically to the purposes of why a company needs that data; companies cannot get consent for one purpose and then use the gathered personal data for another. On top of this, consumers must be able to revoke their consent as easily as it was originally given because many consumers complain that it is easy to opt in to data gathering, but difficult to unsubscribe or opt out."

GDPR's definition of personal data is more detailed than the DPD, and makes it clear that information such as an online identifier, e.g. an IP address, can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For the road freight sector, Helen Goldthorpe and Richard Wadkin of law firm Shulmans, explained how operators and commercial drivers collect vast amounts of data:

"Managing a fleet is virtually impossible without holding at least some data on individuals.  This includes checking driving licence details, keeping records of vehicle usage and possibly the more detailed data that can be captured by telematics or recording devices.

"There is also potential use of data about third parties if they are involved in incidents with the vehicles, whether as part of a claim or because they are recorded on camera.  It is common for personal data to be processed by or transferred to third parties, for example during the licence checking process, when dealing with any speeding or parking tickets, or in dealings with insurers.

"This means that it is vital to work through how this data is used and safeguarded, and to make preparations to ensure that your business will continue to operate compliantly beyond May 2018.  Even organisations that are currently data protection compliant will have some adjustments to make."

Ignorance with regard to the incoming GDPR could lead to crippling financial penalties for those who abuse it, inadvertently or otherwise.

According to the EU GDPR portal, under the new legislation, organisations in breach of GDPR can be fined up to 4 percent of annual global turnover or EUR20 Million (USD23.3 million), whichever is greater. This is the maximum fine that can be imposed for the most serious infringements.

There is a tiered approach to fines e.g. a company can be fined 2 percent for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment.

For more information, visit: