General Data Protection Registration
Unless you have been living in a cave for the past year you will be aware that changes have occurred to data protection.
The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it gives European citizens control over their personal data. Its impact won’t just be felt in Europe though, as it will have wider implications for companies across the world that hold data on the continent.
While great news for individuals, it presents complex problems for companies. As a case in point – they could face fines running into tens of millions of Euros if they breach the new directive. With that in mind, we’ve put together this simple explainer to answer the key questions.
What’s GDPR?
It is a new set of rules governing the privacy and security of personal data laid down by the European Commission.
The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995.
What is the point of the new laws?
They have been designed to give power back to citizens over how their data is processed and used.
Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or accurate personal data. Plus, the intention is to simplify the regulatory environment.
How will this impact individuals?
As well as the right to be forgotten, the law holds provisions that could potentially increase consumers’ rights over their data.
But there is a huge grey area about how it will apply in reality. The laws mean that in theory people could ask social networks like Facebook to delete their profiles entirely.
Laws relating to freedom of expression will stop “the right to be forgotten” extending to news articles.
But there is the potential for individuals to transfer their data from one service to another more easily – which is great news for consumers, making it simpler to swap utilities, insurance or ISPs.
How will this impact my business?
This shake-up of data protection laws is all well and good for individuals, but it could mean huge fines for businesses that don’t comply with the laws.
This is because data breaches have become increasingly common in recent years. However, giving citizens back control of their complex personal data is not necessarily easy.
Plus working out how to give it back to them and how to ensure it is stored adequately throughout employment and then deleted securely is a bit of a technical and HR minefield.
Disclaimer:- The information contained herein is given by way of general guidance only and no action should be taken solely on the basis of the information contained herein. The Avanti Group (UK) Ltd will be pleased to provide further guidance on the issues, and how they might affect you. No liability is accepted by the firm for any action taken without seeking appropriate professional advice
How much will it cost?
The biggest change to the law is the increase in the amount of money regulators can fine companies who do not comply – up to 4% of their global turnover or 20 million Euros, whichever is greater.
This threat is certainly big enough to frighten companies into changing their data dealings.
But I’m not in the EU – will it affect my business?
GDPR has serious implications for companies in countries outside the EU. So even if you’re based overseas, but hold data belonging to anyone living in Europe, you’re liable.
So, in short, if you process data that belongs to individuals living and working within the EU, you will be subject to aspects of the directive.
What should businesses be aware of?
The Information Commissioner’s Office (ICO) in the UK has released a new set of guidelines aimed at ensuring companies are adequately prepared for the introduction of the General Data Protection Regulation (GDPR).
It also recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to be in compliance with GDPR.
What are the other potential problems?
Once GDPR comes in, companies could see more legal challenges from individuals and groups that take up privacy issues on behalf of citizens.
But they may also see fewer challenges from individual country regulators, because of a “one-stop shop” clause that would put the onus on the regulator in the country in which the company is headquartered to pursue legal action.
Regulators are also being given more powers to intervene if they feel another is being too lenient.
The document states that decision makers and key members of organizations should make themselves aware of the upcoming changes in the law, and keep a firmer grasp on the details surrounding the information they hold.
It also recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to be in compliance with GDPR.
Having the right procedures in place in order to react to data breaches is also a crucial part of the ICO’s guidance, with companies now being urged to familiarize themselves with previous guidance surrounding privacy impact assessments (PIAs).
Several other areas are also outlined as being potentially crucial to successfully adapting to GDPR, but the ICO insists the new measures, which came in on the 25th May, will contain many of the same principles and concepts as the current Data Protection Act.
As such, many companies already abiding by current legislation are likely to have a majority of bases covered.
However, the ICO stresses there are several noticeable differences and enhancements included in the GDPR that need to be taken on board.
Speaking at a lecture in London for the Institute of Chartered Accountants in England and Wales, UK information commissioner Elizabeth Denham said the biggest difference refers to accountability.
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization. [1]
[1] Data provided by eset secutiry