After years of discussion the new EU data protection framework has been adopted with the General Data Protection Regulation (GDPR) coming into effect on 25th May 2018.
With major personal data breaches being common place today, the aim of the GDPR is to strengthen the data protection for EU citizen’s personal data and restore confidence in online activities.
The regulation will replace the EU data protection directive which dates back to 1995, when the internet was still in its infancy. It updates the principles set out in the 1995 directive that controls how your information is used by organisations, businesses or the government. The update is required in order to keep pace with the major changes in data processing and it will cover for example data that is processed on the internet via social media sites, online banking and shopping etc.
Many businesses may have heard about the GDPR but are unsure whether it will effect them and with the GDPR text consisting of 99 articles of legislation it can be mind boggling. So in this issue our goal is to educate readers focusing on the core considerations that need to be reviewed.
FIRST THINGS FIRST, WILL THE GDPR EFFECT YOUR BUSINESS?
The GDPR should be of global interest as it impacts any company doing business with European citizens, regardless of where the company is based.
SO WHAT ARE THE CHANGES IN THE GDPR?
The conditions for the consent of personal data usage have been strengthen and companies will now need to ensure that their terms and conditions are clear and concise without being full of legal terminology. It must be as easy to withdraw consent as it is to give it.
Should there be a breach in data it will become mandatory that your business will need to notify the Supervisory Authority without delay and no later than 72 hours after the breach. Should the breach pose a high risk to the individuals then they will need to be notified too. Failure to notify a breach can result in significant fines.
Right to access
Individuals can now obtain information from a business as to whether personal data concerning them is being processed, where and for what purpose. When requests come through businesses are obliged to provide a copy of the data, free of charge and in an electronic format.
Right to be forgotten
The right to be forgotten entitles the individual to have his/her personal data erased and also all further dissemination of data, where there is no compelling reason for its continued processing.
The GDPR introduces data portability, meaning that individuals have the right to receive the personal data that concerns them and they can use this data for their own proposes across different services.
Privacy by Design
This is a concept that has been around for a while, however the GDPR is the first time that data protection has been a legal obligation.
In short it means that each new service or business process that makes use of personal data must take the protection of such data into consideration, and businesses must be able to prove that they have adequate security in place. A privacy strategy should be implemented during the initial stages of development rather then an add on at the end.
Data Protection Officers
The GDPR introduces a statutory position of Data Protection Office (DPO) who will have a key role in ensuring compliance with GDPR. Your business will need to do this in the following situations;
• Where data processing is carried out by a public authority or body.
• Purely private companies not involved in public functions or delivering services will only need to appoint DPO if their core activities consist of data processing, which require regular monitoring of data on a large scale.
• Where the core activities consist of processing on a large scale data relating to criminal convictions and offences.
Children’s Personal Data
There are new provisions intended to enhance the protection of children’s data. Where services are offered to a child, a businesses privacy notice should be written in a clear way that a child would understand.
What does the GDPR mean for businesses?
Understandably, the new regulations will have several implications for businesses that are processing data belonging to EU citizens. So preparations should be made to ensure that businesses are compliant in order to avoid the hefty fines that will come into play.
The main objectives for businesses is to ensure that they focus on protecting the security of personal data, Mark tells us more on the next page 4-5 of our tech issue magazine about what solutions are available to help with businesses ensuring they are GDPR compliant.