The new EU General Data Protection Regulation will be coming into force in May 2018, and whilst that might seem a long way off, we know all too well how quickly time flies by! Representing the most significant changes in data privacy regulation in over 20 years, the GDPR will affect every business and potentially require changes to be made. To ensure you’re being fully compliant by the time the enforcement date rolls around, it’s important to get acquainted with the regulation as soon as possible to allow you plenty of time to iron out any issues.
What is it?
The UK currently operates according to the Data Protection Act of 1998, which came into force long before data exploitation technologies evolved. The result of four years’ preparation by the EU, the GDPR has been designed to give people more control over how their personal data is used, instilling more trust in the digital economy, and changing the way organisations approach data privacy.
Aren’t we leaving the EU?
Yes- in fact, just this week, Theresa May triggered Article 50, starting the formal process of leaving the European Union. These negotiations are expected to take two years, during which we remain members of the EU. May 2018 falls into this time bracket, meaning that for the time being, the GDPR will apply to us. Even once Britain have formally left the EU, the GDPR can still be applicable if you are dealing with data belonging to EU citizens.
It is unclear the direction our data protection regulation will take once we have formally left the EU, but experts predict a similar legislation to help companies be compliant when dealing with the data of EU citizens.
What counts as personal data?
The GDPR now considers any data that can be used to identify an individual directly or indirectly as ‘personal data’. This now includes IP addresses, as well as economic, cultural and mental health information.
Who does it apply to?
Both ‘controllers’ and ‘processors’ of data are now held responsible under the GDPR, including any companies that might process data on your behalf. All parties should keep records of their activity, conduct Privacy Impact Assessments (PIAs) to minimise the risks and consider appointing a Data Protection Officer (DPO) where large amounts of sensitive data are being handled.
How should consent be obtained for collection of data?
The age of consent for data collection will be raised from 13 to 16.
Under the GDPR, consent to give personal data must now be active, rather than the passive methods of acceptance currently allowed, like easily-overlooked tick boxes or opt-outs. The data controller must keep a record of how and when a data subject gave their consent.
If the data obtained is no longer being used for the purpose it was intended for, it must be deleted or used only if the data subject provides fresh consent.
What rights does the data subject have?
The data subject has the right to review and rectify the information a data controller holds about them whenever they wish, including why the organisation has the data and who will see it. Consent can be withdrawn whenever the data subject wishes under ‘the right to be forgotten’.
What are the consequences of non-compliancy?
For serious infringements, you could be hit with a hefty- and potentially crippling- fine of either the equivalent of $20m or 4% of your global annual turnover, whichever is the greater. Other breaches can be reprimanded by considerable fines, so taking measures to ensure your organisation is compliant is well worth the hassle!
It’s worth bearing in mind that whilst these regulations might seem restrictive, the EU aims to create a simpler data protection environment and estimates the changes could save businesses an annual collective $2.3b!