When was the GDPR deadline, what is on the compliance checklist and does it apply in the UK after Brexit?
THE General Data Protection Regulation – which has now come into force – is the biggest shakeup of personal data privacy rules since the birth of the internet.
It is aimed at curbing US tech giants like Facebook - but sole traders such as plumbing and window cleaners could face crippling fines if they fall foul of the law. Here's what you need to know.
What is GDPR and when does it take effect?
The General Data Protection Regulation is a piece of EU legislation passed by the European Parliament in 2016.
It became enforceable in all EU countries on Friday, May 25.
Punishing fines for data misuse and breaches can reach £18million or 4 per cent of global annual turnover, whichever is higher.
The GDPR aims to make it simpler for people to control how companies use their personal details.
Strict rules mean companies will not be allowed to collect and use personal information without the person's consent.
Data includes things like a person's name, email address and phone number, and also internet browsing habits collected by website cookies.
Firms must also report any data breaches - including cyber attacks and accidental leaks - to authorities within 72 hours.
Individuals can demand a copy of all data held about them, which must be supplied within 30 days.
And in some cases they can ask for any data to be deleted in a formal "right to be forgotten" law.
Privacy campaigners have hailed the regulation as a new step forward for online rights, but small firms are furious about the burden of complying with the law.
Will GDPR still apply after Brexit?
The government says the same rules will continue to apply after the UK formally leaves the EU.
GDPR standards will soon be enshrined in UK statute in the Data Protection Bill currently going through Parliament.
Ministers say this will help companies prepare for Brexit as it will mean British law is aligned with the rest of Europe.
Officials say it would be harder to trade if the rules were different on either side of the Channel.
The GDPR will apply to any company offering services in the EU, regardless of where it is headquartered.
What does GDPR mean for businesses?
Almost everyone has received emails from companies asking customers and users whether they consent to the new conditions.
When there were just 100 days until the rules came into force, a government study showed only 38 per cent of British firms were even aware of GDPR, let alone ready to comply.
Business groups have said companies will have to spend £1.2million each on average to prepare for the complex rules on data processing.
Ahead of the changes, many did not track their data processing in a way that complies with the new rules.
And if they have sought consent from customers to collect data, often the records were out of date or the consents do not meet the GDPR standards.
Facebook and Google are among the firms likely to be most affected by the changes.
They make money from people's data by using it to target advertising at their interests.
Retailers, insurers and banks are also likely to have to make the biggest changes to ensure they comply.
In January 2018 Facebook published a post detailing its "privacy principles" for the first time.
Erin Egan, Chief Privacy Officer at Facebook, said that the principles "guide our work" and the company wants to give users "more control of your privacy".
The guidelines state: "We recognise that people use Facebook to connect, but not everyone wants to share everything with everyone – including with us."
Critics said the social media giant - with two billion users - had been forced into the move by GDPR and the guidelines "crib large chunks" of the EU regulation.
Small businesses and charity fundraisers face a major headache as most do not have the resources or expertise to make sure they comply with the new rules.
In 2017 handymen, gardeners and window cleaners were warned they could be fined if they try to drum up business by sending an email.
Potential customers would have to have given their explicit consent to each possible use of their personal information by ticking a box online or filling out a form.
Mike Cherry of the Federation of Small Businesses told The Sun: "Many small businesses are already straining under the burden of the current data protection regime and some will be having sleepless nights thinking about how GDPR will add to this."
Some firms fear they will fold if hit by fines.
MOST READ IN NEWS
What is the GDPR compliance checklist?
The Information Commissioner's Office - the government's data watchdog - produced a self-assessment guide to help small and medium businesses and charities comply with the new rules.
It explains what counts as personal data and whether firms collecting it are "controllers" or "processors", with certain legal obligations.
The controllers checklist and the processors checklist are online tools allowing companies to test their readiness by answering a series of questions.
The ICO also has tools to check compliance on information security, direct marketing, records keeping, data sharing and CCTV.