This revised regulation places a legal responsibility on companies to manage, in a new defi ned way, the Personal Data they hold and process about private individuals.

The current regulation, based on EU Directives from 1995, placed the burden of proof on the individual or the Regulator to show how the Company has misused their personal data. The new 2018 regulation clearly places  the responsibility on the Company to show they have not misused the personal data they hold. This is a fundamental shift in perception and each Company needs to address this change.

The defi nition is broad and it covers any person. This can include those who have a relationship with you such as a candidate who submitted a CV, an employee, customer or supplier. It also includes those with no relationship with the Company such as a market researcher.

Any data that can identify an individual. Examples include name, address, phone number and emails.

Any individual may approach your Company and ask which of their personal data you process and/or require a formal confi rmation that you hold no personal data on them. If you do hold such data you must confi rm what you hold, how you use it and should the individual so request, erase it.

If you store data employee details in HR, customer details in CRM systems or Customer Loyalty programs, or supplier details in Supply Chain systems, it is likely this regulation applies to you.

Large B2C companies such as Financial Services, Retailers and Telecoms have been working on reengineering processes for 18 months. B2B companies are now working on GAP analyses with process reengineering started
or commencing. The effective date is 25 May 2018.