If you’re in business and collect data, and you’re not aware of a new European regulation, you have four days to get to know about it.
The “European General Data Protection Regulation” (GDPR) not only applies in the European Union (EU), but will also apply to organisations outside the EU if they offer goods or services to, or monitor the behaviour of EU data subjects.
It applies to all companies processing and holding the personal data of data subjects living in the EU regardless of the company’s location.
That means if you are a Thai real estate agent selling overseas to British nationals, for example, and you have a data record for that person, you must comply with the new regulation.
We don’t want to worry you but organisations can be fined up to 4 percent of annual global turnover for breaching GDPR, or €20 million.
That’s the maximum fine for the most serious infringements of GDPR, for example not having sufficient customer consent to process data.
So, what constitutes personal data?
The GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This provides a wide range of personal identifiers to be deemed personal data, including name, identification number, location data or online identifier.
This new regulation is already changing the way organisations collect information about people.
The conditions for consent have been strengthened. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form using clear and plain language.
It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data. In this context, nothing short of “opt in” will suffice but for non-sensitive data, “unambiguous” consent will suffice.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches.
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
This does not only apply to property and real estate businesses in Thailand, and elsewhere but given this sector is our main concern we want to ensure all businesses are aware.
If not, GDPR comes into effect this Friday, May 25. Google should be your best friend for more information and to ensure you fully understand the requirements and possible implications.