What is it the EU GDPR?
The EU GDPR will be enforced from 25 May 2018, and it is the culmination of years of work by the EU to reform General Data Protection regulation into a Union-wide framework instead of a patchwork of country-specific legislation’s.
The regulation is intended to strengthen the privacy rights of EU citizens, restore confidence in online activities and better protect customer data by requiring companies to adopt new data protection processes and controls.
Who does this effect?
The GDPR should be of global interest as it affects any company doing business with EU citizens, regardless of where the organisation is based in the world.
Why should we be concerned about this?
If your business is not compliant then there fines for breaches of personal data of up to €20m or 4% of the organisation’s worldwide turnover.
Key Stipulations of GDPR
1. GDPR has a wider geographic scope. You do not have to be based in Europe for it to apply. Any company that does business with EU residents will be subject to GDPR. Even if you are offering a free service, such as a website that people in the EU access, you may be subject to GDPR if you collect IP addresses or track cookies.
2. The definition of ‘personal data’ has widened and now explicitly includes online identifiers such as IP addresses and mobile device identity.
3. Organisations will need to attain explicit consent from individuals regarding the processing of their data, and companies will no longer be able to use long, illegible terms and conditions. Individuals will also have more rights regarding the processing of their data, for example relating to data erasure (often referred to as the ‘right to be forgotten’) and data portability, which is the right to transmit their data to another controller.
4. Technical and organisational measures regarding the protection of personal data are becoming mandatory, with the GDPR outlining examples of the measures expected. These relate to the hashing and encryption of personal data, the ability to ensure confidentiality, integrity, and availability, and processes to test the effectiveness of security measures.
5. Organisations will need to keep a written (electronic) record of personal data processing activities, capturing the lifecycle of the data and the name and contact details of the data controller.
6. The reporting of personal data breaches will become mandatory and this is to be done within 72 hours of becoming aware of them.
How to comply with the GDPR?
In order to comply with the new legislation, the best way to prepare is to implement a solid data protection strategy that guards against loss of data whether through malicious or accidental methods.
How will the new rules be enforced?
To ensure proper enforcement of the new data protection rules the reform will both step up the powers of data protection officers and allow for substantial fines in the event of breaches.
Firms will have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.
Do you really need to hire a Data Protection Officer?
The short answer is yes. You could share a Data Protection Officer with another organisation or you could assign the role to an existing individual. Their role is to look at the businesses on the side of the regulator who is concerned about protecting the data of EU citizens. The regulations state that this is essential for companies of 250 users and over however we feel that smaller businesses would benefit from having an officer just to make sure that data is being processed as per the regulations.
We will provide more information about the first steps in our next blog.