With only a few days to go, Europe’s General Data Protection Regulation (GDPR) is set to redefine how companies can collect and use data. The new laws come into effect from May 25th, 2018, and companies can face huge fines for non-compliance.
Who Does the GDPR Impact?
The new regulation will apply to small businesses and large corporations involved in the handling of personal data when selling goods and services to citizens of the European Union (EU), regardless of where the organisation is located. Considering the European market accounts for 25% of global GDP, this is particularly relevant for all international businesses that do business in the EU.
With recent data breaches highlighting the need to keep personal information safe, companies who fail to comply with the new regulations will incur stiff fines of up to £18 million or 4% of global turnover, whichever is greater.
Data is an extremely valuable resource for businesses in the 21st-century and includes personal information such as an individual's name, phone number and email address, as well as internet browsing habits collected through website cookies. Data subjects are not limited to customers and consumers, but also staff and providers.
Breakdown of the key GDPR Changes
The strict rules allow all EU citizens the right to know and control the use, storage and transfer of their personal data. Here, we break down how the key regulations of the GDPR will affect your business.
Companies can no longer collect and use personal data from citizens of the EU without their strict consent. Previously, lax privacy laws allowed business to conceive silent pre-tick boxes and inactivity as consent. Now, when gaining consent for data use, companies must clearly outline what information will be obtained and how it will be used. Terms and conditions must be free from technical legalese and should be equally as easy to understand, as it is to provide consent.
In the event of a data breach, such as a cyber attack and unforeseeable leak, businesses must notify authorities and consumers in the EU within 72 hours. Strict penalties can apply if proper procedures are not undertaken.
Right to Access & Right to Forget
Under the ‘right to access’ law Individuals of the EU can demand a free electronic copy of all data held about them, which must be supplied within 30 days. In some cases, when data is no longer relevant to its original purpose, individuals can also request for any data to be erased under a formal ‘right to be forgotten’ law.
Privacy by Design & by Default
The GDPR has called for all information technology and system developers to embrace the ‘privacy by design’ approach, legally requiring all data controllers and processors to embed consumer privacy and data protection into the design process. Up until now, data protection has been an after-thought or ignored altogether. Under the clampdown, the GDPR also introduces the obligation of ‘data protection by default,’ which requires the protection of personal data as a standard property of products, services and systems. For example, a social media platform default setting should only display essential information on your public profile, such as your name and email address, but not your age, location or phone number.
Data Protection Officers
Professionally qualified officers must be appointed within all organisations consisting of more than 250 employees. The Data Protection Officer (DPO) is responsible for continually monitoring the company’s data protection strategy to ensure compliance with GDPR requirements.
The new regulations also aim to address the protection of children’s data by requiring parental approval for persons under the age of 16 before accessing online services, such as social media and ecommerce stores.
Are you GDPR Compliant?
The GDPR will harmonise consumer privacy laws across Europe and has set a precedent for data protection standards worldwide. All organisations dealing with consumers in the EU, regardless of the location and industry are affected. Gain consumer trust by ensuring your business is GDPR compliant today.