Issued by the European Commission, the General Data Protection Regulation is set to strengthen and unify data protection for individuals within the European Union. Before the regulation comes into effect in May 2018, here we explain some of the key principles…
What is the EU data protection regulation (EUGDPR)?
European Data Protection Regulation is a data protection reform which will replace the current 1995 Data Protection Directive from 25 May 2018. With so many businesses and services operating across borders, the new legislation is to introduce consistency around data protection laws and rights.
What are the new requirements?
Effective of 28 May 2018, there will be a new set of responsibilities for managing and collecting data businesses must take on. The main ones include:
To handle data, you need to obtain valid consent and be able to provide a proof of this consent at any time. Information Commissioner’s Office (ICO) explains: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement”. Find out what do you need to record >
Data Protection Impact Assessment
Under EUGDPR, ICO will carry out data protection impact assessments to evaluate whether businesses adhere to the new regulation. If you are subject to the assessment, you need to be able to show how you handle day-to-day data protection. Find out more here >
Data Protection Officers (DPO)
If you are a public authority or carry out large “systematic monitoring of individuals (for example, online behaviour tracking)” you need to appoint a data protection officer to oversee GDPR compliance. Find out more here >
In the case of a data breach, you’ll need to notify the local data protection authority within 72 hours of discovering it and notify those affected should the breach place their rights and freedoms at risk. What to do if there is a breach >
According to ICO, the EUGDPR gives individuals “genuine choice and ongoing control” over how organisations use their personal data. There is a new set of rights that include:
The right to be informed
The GDPR sets out the information that your business should provide for customers and prospects. This should be transparent and written in plain language explain how you collect and use personal data. Find out the what information must be supplied in detail >
The right of access and rectification
Under GDPR all individuals will have a right to access their personal data “so that they are aware of and can verify the lawfulness of the processing”. Your business must provide a copy of this information within a month and free of charge. In case personal data is inaccurate or incorrect you must make appropriate changes within 30 days. More about the right to access >
The right to erasure and restrict processing
Individuals can request to delete or restrict the use of their personal data when they believe there is no compelling reason for continuous processing. Except for unlawful use, this includes instances where “personal data is no longer necessary in relation to the purpose for which it was originally collected or when the individual withdraws consent”. Explore the right to erasure here >
Who will be affected?
According to Stewart Room, cybersecurity and data protection partner at PricewaterhouseCoopers (PwC), “GDPR will impact every entity that holds or uses European personal data both inside and outside of Europe”.
The GDPR will come into force despite the Brexit vote and will apply to all businesses who handle personal information of European citizens.
What if I don’t adhere to the GDPR regulation?
Failure to adhere could have significant consequences:
Any data breach can impact on your business reputation, and with it, your customers and profits.
Your business may be subject to fines as high as €20 million or up to 4% of global turnover.
Loss of data
In the event of non-compliance you may be asked to delete all customer and prospect records.
According to computerweekly.com, “The GDPR requires that privacy is included in systems and processes by design. This means that software, systems and processes must consider compliance with the principles of data protection”
ICO has released a number of documents helping you to prepare for the new regulation. Start with ‘Getting ready for the GDPR’ checklist released by ICO to get to grips with the new rights of individuals, handling subject access requests, consent, data breaches, more. Go through the checklist here >