Companies in the European Union (the “EU”) have been preparing for 25 May 2018, the much anticipated date when the EU’s General Data Protection Regulation (“GDPR”) became effective. The purpose of the GDPR is to regulate how personal data is processed, wholly or partly, by automated means and regulating those persons that collect and process such data. This means that any personal data or information relating to an identified or identifiable person (such as their name, background, employment history, identification number, localization, income, cultural profile and other information) cannot be collected, recorded, organized, structured, stored, used, transferred, adapted or altered, or otherwise processed unless such processing is in line with the GDPR. The GDPR applies to Nigerian companies that are processing the personal data of individuals within the EU. As such, Nigerian data controllers and processors must seek the consent of individuals within the EU in an intelligible and easily accessible form, clearly specifying the purpose for the collection of their personal data.
The effect of the GDPR is exceptional in terms of data protection laws and companies could face a fine of up to €20 million or 4% of total worldwide annual turnover (whichever is higher) for breaches of the GDPR.
Key Players Affected
The GDPR outlines the role of the following key players that are within the scope of the GDPR:
a) Controllers: A controller can be a natural or legal person, public authority, agency or other body, which alone or jointly with others, determines the purposes and means of the processing of personal data. The specific criteria for controllers may be determined by EU law or the law of a member state. Nonetheless, a controller has certain key responsibilities pursuant to the GDPR.
Click here to read more.