The EU General Data Protection Regulation is biggest shake-up of data protection law in over 20 years, and any breach in these regulations will see big penalties of up to €20million. The changes are designed to harmonise data privacy laws across Europe, to protect and empower the data privacy of all EU citizens, and to reshape the way organisations within the EU approach data privacy.
Even though this is a European Union Ruling, the UK will still need to prepare and comply, as it will still be considered a member state when the ruling comes into force next year.
With the world being so much more data driven than when the Data Protection Directive was established in 1995, these changes are long overdue. Whilst the foundations of the DPD are still relevant, the technology that we use to collect, process and store data have evolved beyond expectation, and despite increased cyber intelligence, the opportunities to steal data through multi-channels is a serious and growing threat to users and businesses.
The GPDR will make organisations which collect and use data more accountable, so it is vital that businesses are ready for the change. From May 2018, the penalties for non-compliance will incur much harsher fines and cost your reputation dearly. It is therefore vital that you are fully prepared with greater knowledge and improved systems.
Increased Territorial Scope (extra-territorial applicability)
Previously, the territorial aspect of data privacy was unclear, and referred to data process as ‘in context of an establishment’, which was difficult to define.
Now the territorial aspect is much clearer. If the data processing is performed in the European Union, or if the data subject is in the EU, then this activity falls under the new regulations. So if a business operating outside of the EU is providing goods or services – including services which are not purchased – to a customer within the EU, they will need to comply with the new rules.
Companies must use forms which are easy to read and understand when collecting data. These forms must clearly state their purpose for gathering information.
Customer consent must be clear and distinguishable from other matters, and language must be clear. It must be easy for customers to withdraw their consent if or when they choose to.
Companies must inform their customers within 72 hours of discovering a data breach if the breach is likely to “result in a risk for the rights and freedom of individuals”.
Right to Access
Data subjects have the right to ask data controllers whether or not personal data concerning them is being processed, where, and why.
If a customer requests a copy of their personal data, the controller must provide a copy of the requested data in an electronic format, free of charge.
Right to be Forgotten
A data subject has the right to instruct the data controller to erase their personal data, stop distributing it and stop 3rd parties from processing it.
Data Subjects have the right to ask for any personal data which concerns them so they may transmit that data to another controller.
Privacy by Design
The concept of Privacy by Design has existed for years, but it is now a legal requirement. Only data relevant to the specific task or activity may be held and processed.
The Penalties for non-compliance
Penalties for a breach in the GDPR are much harsher than they were previously.
Organisations can be fined up to 4% of annual global turnover, or €20million – whatever amount is greater.
Previous Victims of Cyber Crime
Some big names such as Three Mobile, Tesco Bank, Sports Direct and Mumsnet have fallen victim to cyber attacks in the past few years, and they have paid a hefty price. It can happen to any business in any sector and through a number of areas, from hacking websites, exploiting flaws in apps and even in the disposal of hardware.
The large fines imposed by the ICO in these cases were determined not on the size of the attack, but on the sensitivity of the data compromised.
The new GDPR is guaranteed to see more organisations in breach of data protection regulation if they don’t get GDPR savvy.
If your organisation sells goods or services which require holding customer data, you will need training to prepare for the new regulations.