Robert Bond (robert.bond@bristows.com) is a Partner & Notary Public at Bristows LLP in London, UK.
The EU General Data Protection Regulation (GDPR) will hit many companies hard on 25 May 2018, and preparation for GDPR will increase the need for compliance for a number of reasons. GDPR is applicable to any business that processes personal data in relation to citizens in the EU, wherever that business is in the world.
GDPR sets out six lawful grounds for processing personal data, of which consent is only one ground. Whilst there is no doubt that consent is necessary in many cases (particularly where the data is sensitive), other lawful grounds, such as contractual necessity and legitimate interests, are something that the compliance team will need to focus on.
As GDPR introduces key principles, such as transparency and accountability, businesses will need to ensure that their privacy notices and mechanisms are spelt out in plain and intelligible language, and that there is an audit trail of when and how permission was obtained. For businesses that process large volumes of personal data and/or process sensitive data (special categories of data) as a core activity, there will be a need to appoint a data protection officer to oversee compliance with GDPR.