What is the GDPR? It stands for General Data Protection Regulation and is the new EU legislation on data collection and security. The GDPR applies to all businesses around the globe that process EU citizens’ personal data.
Following the 1995 EU Data Protection Directive, the UK has been operating under the Data Protection Act of 1998. The European Commission proposed new data-protection regulations in 2012. The new regulations were approved in May 2016 and will go into effect in May 2018. This new legislation will supersede the Data Protection Act of 1998.
Data, particularly personal data, are being used in ways we never imagined or considered with the advent of platforms such as Google, Facebook, and cloud computing. The EU realized the necessity of strengthening and unifying data protection and more stringent enforcement of the legislation to improve the public’s trust in today’s digital economy. Furthermore, it addresses the export of personal data outside the EU. Here are five things you need to know to plan for the GDPR:
1. What is the purpose of the GDPR?
A major contributing factor to the EU instituting the GDPR is that it wants people to have more control over how their personal data are used. The GDPR has broadened the definition of personal data to include not only contact details and customer lists but also online identifiers, such as IP addresses. Businesses must unequivocally obtain and affirm consent before processing any personal data. Parental consent is needed for children under the age of 16 (EU member states have the right to lower the age to 13).
Another positive outcome of the GDPR is uniform data-protection law throughout the EU, which gives businesses explicit legal parameters to operate within. For the last four years, the EU has worked on this new legislation to heighten data protection and enforce tougher measures for non-compliance regarding data protection and breaches of such data.
2. How does Brexit impact the GDPR?
In October, Karen Bradley (the UK’s Secretary of State for Culture, Media and Sport) confirmed that the UK will opt in when the GDPR goes into effect in May 2018. She explained, “We will [still] be members of the EU in 2018, and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
The UK High Court has ruled that parliamentary approval is needed to trigger the Article 50 notification to begin the UK’s exit from the EU within a two-year period. Thus, the UK will still be an EU member state in May 2018.
3. How does the GDPR impact your business organization?
Not only does the GDPR apply to businesses operating within the EU, but it also applies to any businesses processing EU citizens’ data, regardless if the geographical business location is outside the EU.
Data-collection processes/systems must be designed with privacy in mind. Businesses should collect only the data required to fulfill specific purposes, and the information is to be kept no longer than necessary.
Within 72 hours of the awareness of a data breach, businesses are mandated to report the breach to the appropriate protection authority. If the data breach is assessed as a large risk to customers, the customers must also be notified. This legislation is about transparency, meaning businesses will need an audit trail and can show justification for any security decisions made surrounding data.
Additionally, it is mandatory to conduct privacy risk-impact assessments to analyze the risk of data breaches and to take the necessary steps to minimize the risk.
4. What do controllers, processors, and DPOs need to know?
Data controllers (for-profit businesses, governments, and charities) make the decisions about processing activities—the how and why of personal-data processing. The entity defined as the controller may or may not actually perform the processing operations. Under the GDPR, compliance obligations are imposed on both the controllers and the processors. Controllers are obligated to ensure that the third-party processors are performing data protection impact assessments and can document the procedures they have in place.
Processors are the parties actually processing the data. For instance, the processor may be an IT firm performing the data processing for the data controllers. Controllers are liable for the actions of the processors and should only use processors that can guarantee to execute organizational and technical measures meeting the GDPR requirements.
Public authorities and businesses processing large amounts of specific categories of personal data are required to appoint a data protection officer (DPO). They are expected to hire someone with the knowledge and expertise of the latest laws and practices. The DPO’s duties include informing and advising about meeting GDPR requirements and monitoring compliance of these requirements.
5. What are the penalties for non-compliance?
A business can be subject to administrative fines of up to 20 million Euros ($20.9 million) or four percent of its global annual turnover of the preceding financial year, whichever amount is greater, for non-compliance with the regulation e.g. breach of a fundamental term. Other specified infringements (something regarded as less severe but no less important) the company may be subject to a slightly lower administrative fines of up to 10 million Euros ($10.5 million) or two percent of its global annual turnover of the preceding financial year, whichever amount is greater.
Is your business ready for the GDPR? Now is the time to establish best practices to ensure GDPR compliance so that you’re not caught unprepared when it goes into effect next year.