The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and comes into effect on May 25th, 2018. It intends to give European citizens back control over their personal data. Its impact won’t just be felt in Europe though, as it will have wider implications for companies across the world that hold data on the continent especially, smaller to medium sized enterprises.
While great news for individuals, it presents an array of problems for companies. They could face fines running into tens of millions of Pounds/Euros if they are in breach. With that in mind, we’ve put together this simple blog to answer the key questions on GDPR.
What’s GDPR again?
It is a new set of rules governing the privacy and security of personal data laid down by the European Commission. The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection law from 1995.
Why change the laws?
They have been designed to give power back to individuals over how their data is processed and used. Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or accurate personal data. It is also intended is to simplify the regulatory environment.
How does this impact individuals?
As well as the right to be forgotten, the law could potentially increase consumers’ rights over their data. But there is a huge grey area about how it will apply in the real world. The laws mean that in theory people could ask social networks like Facebook and LinkedIn to delete their profiles entirely.
Laws relating to freedom of expression will stop “the right to be forgotten” extending to news articles. But there is the potential for individuals to transfer their data from one service to another more easily – which is great news for consumers, making it simpler to swap utilities, insurance or contracts etc.
How is my Business impacted?
This new data protection laws is all well and good for individuals, but it could mean huge fines for businesses that don’t comply with the laws. This can impact smaller to medium enterprises more due to the high fines that can be given in comparison to current legislation and guideline.
This is because data breaches have become increasingly common in recent years and in some cases, been abused to take advantage of the current legislation in place due to the low levels of fines. However, giving citizens back control of their complex personal data is not necessarily easy. Plus working out how to give it back to them and how to ensure it is stored adequately throughout employment and then deleted securely is a bit of a technical and HR nightmare.
What is the cost?
The biggest change to the law is the increase in the amount of money regulators can fine companies who do not comply which is up to 4% of their global turnover or 20 million Euros, whichever is greater. This threat is certainly big enough to frighten companies into changing their data usage. Therefore, you can be assured big corporates such as LinkedIn and Facebook will already be looking to implement the changes to regulation. Therefore, smaller and medium sized enterprises need to take note as they are more at risk of paying fines due to lack of education on the changes.
But I’m not in the EU, so what does it matter?
GDPR has serious implications for companies in countries outside the EU. So even if you’re based overseas, but hold data belonging to anyone living in Europe, you’re liable. IN short, if you process data that belongs to individuals living and working within the EU, you will be subject to GDPR.
As a Business what should I know?
The Information Commissioner’s Office (ICO) in the UK recently released a set of guidelines to help businesses prepare for GDPR. It also recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to be compliant with GDPR.
However, it’s not too scary potentially as the ICO insists the new measures will contain many of the same principles and concepts as the current Data Protection Act. Which means the companies already successfully abiding by the 1995 legislation will probably be covered.
But we can expect businesses to go on recruitment drives for data protection officers to help ensure they’ve got the right personnel in place.
What if I am not GDPR compliant?
Once GDPR comes in, companies could see more legal challenges from individuals and groups that take up privacy issues on behalf of citizens. But they may also see fewer challenges from individual country regulators, because of a “one-stop shop” clause that would put the onus on the regulator in the country in which the company is headquartered to pursue legal action. Regulators are also being given more powers to intervene if they feel another is being too lenient.
Our advice is to visit the ICO and learn more about GDPR. If you hold data of individuals residing in the UK and Europe you need to be looking at a plan to be compliant. Better to be safe than sorry.