GDPR – Everything You Need To Know Before the Deadline: May 2018
By 25 May 2018, data protection rules across Europe will see their most prominent change in two decades. Since the laws that govern how people’s data should be handled were developed in the 1990s, many things have changed. Now we create vast amounts of digital information every day and everything, from mobile phones to smartwatches, collects data that could identify us.
In short, the laws that oversee our personal information are no longer useful. The result is the GDPR which will come into force on May 25, 2018. It will change the way that companies and public sector organizations can handle the information of their clients’ clients.
WHAT IS GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) standardizes the data protection law in the 28 countries of the EU and imposes new strict rules for the control and processing of personal identification information. It also encompasses the protection of personal data and data protection rights by returning control to EU residents. The GDPR replaces the EU Data Protection Directive of 1995 and enters into force on May 25, 2018. It also replaces the UK Data Protection Act of 1998.
GDPR applies to all organizations that own and process personal data of EU residents, regardless of their geographical location. Many organizations outside the EU do not know that the GDPR regulation of the EU also applies to them. If a body offers goods or services to the behavior of EU residents, it must comply with the GDPR compliance requirements.
The GDPR was approved by both the European Parliament and the European Council in April 2016. The underlying regulation and guideline were published at the end of that month.
Two main factors that brought about the introduction of GDPR. The biggest is the EU’s desire to align the data protection law with the use of people’s data, especially considering that companies like Amazon, Google, Twitter and Facebook offer their services for free, as long as people Offer your data to this technology giants.
The Internet and the cloud allowed organizations to invent numerous methods to use (and abuse) people’s data, and GDPR intends to rectify this.
WHEN CAN PEOPLE ACCESS THE DATA WE STORE ON THEM?
Under the GDPR, people have:
- The right to be forgotten: if they withdraw their consent from an organization to use their data, then they have the full right to have their data deleted.
- The right of access means that people have the right to request access to their data and ask how the company uses their data once they have met. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
- The right to data portability: people have the right to transfer their data from one service provider to the other.
- The right to have the information corrected: this guarantees that people can have their data updated if they are outdated or incomplete or incorrect.
- The right of objection: this includes the right of people to stop the processing of their data for direct marketing. Also, this right must be made clear to people from the beginning of any communication.
- The right to be informed: this covers any data collection by companies, and people must be informed before the data is collected. Consumers have to choose to have their data collected, and consent must be given freely rather than implicitly.
- The right to be notified: if there has been a data breach that compromises the personal data of a person, the person has the right to be informed within 72 hours of having knowledge of the violation for the first time.
- The right to restrict processing: people can request that their data not be used for processing. Your registration may remain in place, but not be used.
The GDPR is the way in which the EU gives prospects, individuals, contractors, customers, and employees more power over their personal data and less power to the organizations that collect and use that data for monetary gain.
THE NEW UK DATA PROTECTION BILL
The new bill will in effect implement the GDPR, which will come into force in May 2018 (before the UK leaves the EU). Regardless of Brexit, it will reiterate the United Kingdom’s commitment to the privacy principles enshrined in the EU Regulation. For anyone who has doubted that the UK has committed to the post-Brexit GDPR, this announcement would seem to send a clear message that the United Kingdom remains focused on ensuring a robust privacy environment.
The bill will result in a new Data Protection Act that will supersede the Data Protection Act (1998) and add clarity on how the UK will apply legal controls to areas of the GDPR where the Member States have received some flexibility, that is, the exceptions. When the United Kingdom leaves the EU, the new Data Protection Act will replace the GDPR.
IS MY COMPANY/SMALL BUSINESSES/CHARITY GOING TO BE IMPACTED?
The scope of the GDPR is vast. The GDPR will affect all organizations established in the EU and all organizations involved in the processing of personal data of EU citizens. The latter is the introduction of the principle of “extraterritoriality” by the GDPR; that is, the GDPR will apply to any organization that processes personal data of EU citizens, regardless of where it is established, and regardless of where their processing activities are carried out. This means that the GDPR could be applied to any organization in any part of the world, and all organizations should conduct an analysis to determine whether or not to process the personal data of EU citizens. The GDPR also applies to all industries and sectors.
GENERAL DATA PROTECTION REGULATION FINES
The General Data Protection Regulation stipulates that
- Fines of up to 4% of the company’s annual global business volume for the previous fiscal year, or € 20,000,000 (whichever is greater) may be imposed for breaches of key data processing principles. This includes legality, fairness, transparency, limitation of objectives, data minimization, storage limitations, integrity, confidentiality, and accountability. Or the rights of the interested parties (such as the right to be informed, right of access, right to rectification or “right to be forgotten”) or transfer personal data outside the EU without a valid reason or exception; and
- Fines of up to 2% of the company’s annual total turnover for the previous fiscal year, or € 10 000 000 (whichever is greater) may apply to other General Data Protection Regulation infractions. These infractions include those relating to the principles Data protection “by design” and “by default,” lack of designation of a data protection officer, lack of adequate security measures or failure to notify data breaches.
WHAT CAN YOU DO TO PREPARE?
If your company currently has or is thinking of doing business in Europe, there are steps you can take to obey the rules by the General Data Protection Regulation.
- Carry out an analysis. Start by consulting with a legal expert to understand the data privacy regulations and how they can affect your business. Then analyze the systems you already have installed and discover where the weak points exist.
- Educate the whole team. Employees must be educated about the responsibilities they have when it comes to personally identifiable or sensitive information about partners, employees, customers, and contractors.
- Choose a point person. Medium-sized companies may consider appointing a compliance officer, who would be responsible for reviewing the constant changes in data privacy laws, Glenister said. The smaller companies can hire an outside contractor to perform this function as needed. All companies need to identify a primary point of contact whose responsibility is to address data protection issues.
- Categorize your data. Determine which of your company’s data is affected by regulatory guidelines.
- Review your contracts. Your external providers must have clear policies that comply with the regulations. The fact that you sign a contract in a country does not mean that your data will be stored in that country. As with your internal data management, understand how providers store, process, and access your company data.
Also, ask what procedures your provider has to comply with the regulations and how that company will address the violations.