Enforcing GDPR
With the GDPR now enforceable, the most immediate impact may be from EU residents asking organisations for details of their personal data. Under the new rules, 'data subjects' aren't required to make any payment for these requests any more (unless they become excessive) and several groups have indicated they plan to test the new legislation as soon as possible. The GDPR gives an organisation one month to respond to a 'data subject access request'. It may be possible to extend this but, ultimately, regulators will expect the information to be provided in a simple format and some form of sanction can be expected in the event of failure. Very few organisations are likely to be completely compliant with the GDPR straight away, but it is essential to make sure you know what personal data you hold, where it is and to have a written Policy in place so you have a clear process (and templates) in place to deal with such requests. Without this, compliance is impossible.