The legislation, which aims to provide more trust in the emerging digital economy, came into effect throughout all EU Member States on 25 May 2018, and provides stronger data protection laws, and tougher enforcement measures.

In fact, punishment for non-compliance or serious data breaches has an upper limit of €20 million or 4% of annual global turnover (whichever is higher), making the threat of insolvency and closure of businesses very real. So it’s absolutely imperative that companies act to remain compliant.

GDPR applies to all ‘controllers’ and ‘processors’ of data. Controllers oversee how personal data is processed and must ensure that personal data is processed lawfully, transparently, and for a specific purpose. Once the data is no longer required, controllers are responsible for deleting it. They are also responsible for ensuring that their processor abides by the rules.

A processor, meanwhile, includes any company, such as an IT organisation, that processes personal data in any form. They are responsible for maintaining their own records regarding their data processing activities.

Even if a controller or processor is based outside Europe, they will still be subject to the rules if they control or process data from an EU citizen. Brexit, when it happens, will not affect these rules, and means that UK businesses will still subject to GDPR at least for the foreseeable future.

As well as strengthening data protection laws and increasing financial punishments for non-compliance, the legislation also impacts a broader range of areas, bringing new challenges for businesses.

For example, the law now encompasses voice call recordings, as well as data communications, as these are considered to be ‘data processing’. Such communications with citizens and consumers is likely to include names and addresses, and other personal information, and so is subject to GDPR.

At the same time, organisations are expected to receive ‘active consent’ from callers to allow their call or communication to be recorded, stored and used for data processing purposes. Data must also be deleted at the end of the agreed timeframe.

Another complex area is that of ‘greater access to personal data’. Any organisation is expected to grant user access to the data stored on them ‘without delay’, which provides a challenge for most organisations.

Yes, it is a major headache, but burying your head in the sand is not an option.

But you’re not alone. Touch has been helping organisations to meet the highly complex MiFID financial rules for decades, and our call recording services come pre-GDPR-compliant. It’s a cloud-based solution, requiring no cumbersome and expensive hardware or software deployments. Put simply, we can solve the headache of GDPR for you. So get in touch with us today, don’t delay!