What is the GDPR?
On April 27, 2016, the General Data Protection Regulation (GDPR) was adopted in the European Union after four years of negotiations. This law will strengthen data protection for individuals residing in the European Union (EU).
In addition to forcing companies to gaining people’s explicit consent, the GDPR will change the concept of “personal data,” requiring this definition to include IP addresses and genetic or biometric data.
The GDPR will replace its predecessor, the Data Protection Directive (DPD), originally adopted in 1995. Unlike a directive, the GDPR is a regulation that requires no special legislation to come into force. It will immediately become law in all Member States simultaneously, on May 25, 2018.
Companies that fail to comply with rules for the proper handling and storage of personal data will face tougher punishments than before, with a maximum penalty of 4% of worldwide turnover.
The purpose of the GDPR is to correspond regulations in regard to the collection, processing, and transfer of personal data across the EU.
Why is this important?
Since the original Data Protection Directive, companies have exponentially increased their collection of customer data. Companies not only collect personal data, but they also store, move and access this data online.
“17 years ago, less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.
– Viviane Reding, EU Justice Commissioner in 2012
The most important take-away will be that users will have more control over their personal data and consent, and the new regulations will be applied in all Member States. While the DPD was a treated as a guide to follow, the GDPR is a regulation and will be enforced as such, with harsh penalties for those that don’t conform.
What does this mean for businesses?
The GDPR will apply to all Member States and primarily to businesses established in the EU. However, businesses outside the EU that offer goods and services in the EU will also be obliged to follow this new regulation.
The GDPR will have a substantial impact on SMEs (small and medium-sized enterprises). Companies with more than 249 employees will have to employ a Data Protection Officer (DPO).
Smaller companies, however, will need to manage these new regulations on their own—although many may well choose to employ a DPO anyway, especially if they handle a significant amount of sensitive data.
Under these new regulations, when users give consent to store and use their personal data, companies must show a clear trail of consent, complete with screenshots or consent forms.
Consent must be active, and therefore “supposed” agreements, such as pre-checked boxes will become unlawful.
Consequently, individuals will easily have the right to withdraw consent at any time. Once an individual decides to withdraw consent, their information must be permanently erased.
The GDPR includes the right to be forgotten, which allows those residing in the EU to request the removal of irrelevant links related to one’s name in search results.
In the event of a data breach, the GDPR will force companies to inform relevant authorities within 72 hours, providing full details of the breach and proposals for reducing its effects.
Any company that suffers a data breach will face a fine of up to €20 million, or four percent of their annual global turnover.
First steps to prepare for the GDPR
- In preparation for this new regulation, companies all across Europe will be required to perform full information audits, and for many companies, a change in culture.
- Determine if you need a Data Protection Officer, or designate someone internally who will be charged with this role.
- If your company collects genetic and/or biometric data, bring your processing in line with the GDPR.
- Review that processes in place that ask users for consent.
- Document the personal data you hold: the data you have, where it came from and who you share it with.
- Create a process for how you will collect user consent under the new regulations.
- Update your existing your current privacy notices.
- Review the security procedures you have in place to detect, report and investigate a data breach.
European Commission, http://europa.eu/rapid/press-release_IP-12-46_en.htm