The impending arrival of the EU General Data Protection Regulation is requiring businesses to implement changes. We will be posting a mini blog series exploring what GDPR is, how it will it affect your business and the steps you can take to prepare.
As of May 2018 the changes to GDPR will become fully enforceable throughout the European Union and organisations in non compliance will face heavy fines. There has been much concern surrounding these change. We are publishing a blog series where we intend to simplify GDPR, what these new changes will mean for your business and how you can best prepare.
What is GDPR?
The aim of GDPR (or The EU General Data Protection Regulation) is to increase the responsibility of businesses for how they collect, use and store information. It will replace the Data Protection Directive 95/46EC and is designed to unify data privacy laws across Europe in order to protect and empower all EU citizens data privacy and revamp the way organisations across the EU tackle issues of data protection.
Who will it affect?
GDPR will affect not only companies located within the EU, but will also apply to companies that offer goods, services to or monitor the behaviour of EU data subjects. If a company's processes or holds the personal data of anyone or anything residing in the EU, regardless of that company’s location, the GDPR will still apply.
What about Brexit?
In light of an uncertain Brexit future, what happens in the case of a company's activities being 100% limited to the UK? It is very likely that the UK government will implement legislation that will largely follow the GDPR, taking into consideration the support given to the GDPR by the ICO and UK Gov as an effective privacy standard. GDPR will also act as a baseline by which UK businesses will be able to seek continued access to the EU digital market. Therefore it is highly recommended that companies go ahead with making preparations for the changes regardless of what happens with Brexit.
A breakdown of the Key Changes:
Increased Territorial Scope
Perhaps the biggest change to the landscape of data privacy is the change to the jurisdiction of the GDPR. From not only applying to companies located in the EU, but to all companies that process the personal data of data subjects residing in the EU. Previous definitions of territorial applicability were vague and led to a number of high profile court cases. Therefore who GDPR applies to has now been made very clear.
There will be a tiered approach to the issuing of fines depending on the level of non compliance to GDPR. The maximum fine that can be imposed in a breach of GDPR is 4% of annual global turnover or €20 Million (whichever is greater). This would be for the most serious violations of the main GDPR concepts such as not having a customer's consent to process data about them. Not having adequate records can result in a 2% fine (Article 28). Penalties will apply to both controllers and processors and therefore cloud-based storage will also be included in the GDPR enforcement.
The regulations surrounding giving and withdrawing consent have been tightened. Companies must request consent in concise and easily accessible forms rather than lengthy and unintelligible terms and conditions.
Data Subject Rights:
- Breach notifications within 72 hours are to be made mandatory in all member states
Right to Access
- An individual to be able to obtain information from a company about whether or not data concerning them is being processed, where and for what purpose.
- The company to provide an electronic copy of the personal data free of charge upon request.
Right to be Forgotten
- The individual is entitled to have the company erase all their personal data, cease further dissemination of data and halt third party usage of data which concerns them.
- This is on the condition that the data is no longer relevant or upon the withdrawal of consent from the individual.
- The right for data subject to receive personal data concerning them that they have previously provided in a ‘common use and machine readable format’ and be able to freely submit that data to another controller.
Privacy By Design
- Data protection should be built into systems design from the outset
- Article 23 calls for controllers to only hold and process data absolutely necessary for the completion of its duties otherwise known as data minimisation and limiting access.
Data Protection Officers (DPA)
- Minimise the bureaucratic process of notifying data processing activities with local DPAs by adhering to internal record keeping requirements instead.
- DPO appointments will be mandatory only for controllers and processors whose core operations consist of processing operations which require regular and systematic monitoring of subjects on a large scale and of specific categories of data or data relating to criminal convictions and offences.
- DPO must be appointed on the basis of professional qualities and expert knowledge on data protections laws and practises.
- Must not carry out another task that could result in a conflict of interest.
For more information on the changes and the data subject rights visit EUGDPR.
Leave your email below to stay up to date with our latest tips, tricks and trends on all things business?