May 18, 2018
If you’re a business owner, and particularly if your business handles a large amount of personal data on a regular basis, you’re likely already aware of the upcoming changes to data law – namely the introduction of the GDPR. If not, it’s vital that you familiarise yourself with this revolution in digital security before it comes into effect.
What is the GDPR?
Four years in the making, the GDPR stands for the General Data Protection Regulation, and represents the most drastic change in data law for the last twenty years. It will affect a great deal about how you handle your clients’ and customers’ data, and will be in effect from 25th May 2018.
Why Has the GDPR Been Introduced?
The GDPR has come about for a few reasons. The first is a direct result of disparities in data protection law throughout the European Union, which have resulted in significant confusion and complex, costly court cases. The new legislation applies to all residents of all countries within the EU, as well as controllers and processors within the EU (regardless of whether the processing takes place in the EU or not) and controllers and processors not established in the EU but who process the personal data of subjects in the EU, in order to offer goods or services to them or monitor their behaviour. Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
How Do I Adhere to the GDPR?
One of the main ways in which the GDPR will have an impact on companies is that they will now be required to change their practices regarding data retention. The terms and conditions that are requested to be displayed when seeking consent must be legible, intelligible, easily accessible and free from “legalese”. The intended use of the data will also need to be clarified within the same set of terms and conditions. The manner in which consent is achieved is also extremely important – the request must be made in clear, plain language and in a format that can be easily distinguished from any other matters within the text. Again, it much be easily accessible and intelligible. When it comes to a subject withdrawing their consent and preventing any further use of their data, this process must be as easy as the means by which they gave consent in the first place. If there is a data breach at any point, it is mandatory for a company to inform all customers and controllers within 72 hours of its being noticed. It is important that you integrate a means to undertake these actions into your systems in a way that is easy to manage.
You won’t have to notify any data processing activity with your local DPA, but you must keep internal records and, depending on the scale of the personal data it utilises, your company may be required to appoint a Data Protection Officer to ensure all regulations are being adhered to.
What Other Changes Have Been Made?
The rights of data subjects have also been adjusted to allow them more power over any information of theirs that is retained or utilised. One of the more major changes has been named “the right to access” – meaning individuals can request to be told whether their data is being retained or processed, who is using it, and for what purpose. The data controller in question must then provide a copy of the personal data, free of charge, in an electronic format. Another change is “the right to be forgotten”, which, as the name suggests, means that individuals can withdraw consent and ask for their data to be erased at any time. The data must then no longer be disseminated. This rule also means that once data is no longer relevant to the processor’s original purpose, it must be erased.
What If I Don’t Make These Changes?
It is imperative that all EU companies adjust their practices to match the new legislation. Failure to do so will result in significant penalties. The official GDPR website – www.eugdpr.org – states that organisations in breach of the new law can be fined up to 20% of their annual global turnover, or a charge of €20 million euros, depending on which is the greater sum. This amount represents the maximum fine for a serious violation, though there are lesser penalties for smaller infringements. Your company will be liable to pay this fine whether they control or process data.