The European Union General Data Protection Regulations, or GDPR as most people now refer to it, will come into force on 25 May 2018, and will replace the existing Data Protection Act 1998.
GDPR is intended to provide European Union (EU) citizens with more control over how their personal data is used, as well as providing businesses with a clearer more standardised data protection structure in which to operate.
Just in case you’re thinking Brexit will put a stop to its implementation, it won’t!
The Information Commissioner’s Office (ICO) has clearly stated that it will not extend the implementation deadline beyond May 2018, and therefore businesses will need to work hard to ensure they are ready.
The sanctions for breaching GDPR are going to be significant and are intended to make businesses think twice about non-compliance. Minor breaches will see fines of up to €10m or 2% of worldwide annual turnover (based on the preceding financial year), whichever is the higher. Major breaches could result in a fine of up to €20m or 4% of worldwide annual turnover.
GDPR will bring some significant changes to the data protection landscape businesses currently operate in, however, businesses that operate effective data protection systems and procedures now should have an easier journey than those who have chosen to sit back and do little or nothing to comply.
Now for the detail!
GDPR will apply to all data controllers and processors that are handling the personal data of EU citizens; one of the most important things to note is that it will apply to businesses collecting and processing personal data of individuals residing in the EU, regardless of its physical location.
What is a data controller?
- A data controller specifies how and why personal data is processed, and is responsible for ensuring the data processor complies with GDPR.
What is a data processor?
- A data processor conducts the actual processing of the personal data.
So what are the main changes being introduced by GDPR?
- Extended jurisdiction – it will apply to any business collecting and/or processing EU citizens’ personal data regardless of where its physical offices are located
- Consent – businesses will be required to obtain individuals’ consent to store and use their data as well as explain how it will be used
- Mandatory breach notification – businesses will be required to notify the supervisory authority within 72 hours of discovering a data breach, unless it is unlikely to “result in a risk to the rights and freedom of individuals”; my recommendation here would be to report all breaches until we get clarity on what is defined as “a right” and “freedom”
- Right to access – businesses must be able to provide electronic copies of private records to individuals requesting what personal data it is processing, where their data is stored, and for what purpose it is held
- Right to be forgotten – EU citizens will be able to request the controller to not only delete their personal data but to stop sharing it with third parties, who are then also obliged to stop processing it
- Data portability – GDPR will give individuals the right to transmit their data from one controller to another, and as a result businesses must be able to provide an individual’s personal data in a “commonly used and machine readable format”
- Privacy by design – this will be a legal requirement and means that security must be built into products and processes from day one
- Data Protection Officers (DPO) – data controller and data processors will be required to appoint a DPO who can be a contractor, new hire or an existing member of staff. Only businesses “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data relating to criminal convictions and offences” will be required to have a DPO
Heads in the sand!
Many businesses are either still unaware of GDPR, or are aware of it, but seem to think they can ignore it until the weeks before its implementation date!
You can see from the above that if your business is to be ready in time, you will need to start preparing for GDPR now.