With the General Data Protection Regulation (GDPR) fast approaching, there’s never been a more important time for businesses to take stock of and reassess their data handling practices. The new regulations, which come into force on May 25th, 2018, are designed to give users greater control over how their personal data is used and also enable them to demand compensation if that data falls into the hands of unauthorised third parties. This means businesses must be GDPR compliant before the deadline or pay serious consequences. What is GDPR? The General Data Protection Regulation is a set of standards that governs how information about individuals – known as personal data – should be handled and used by companies. It replaces existing data protection laws with updated safeguards that are intended to help protect user privacy and address challenges posed by digital technologies.
What are the key changes that come with GDPR?
Table of Contents
– New rules for consent: Data subjects must explicitly agree to the collection and use of their data. Companies will not be able to rely on the “OK” provided via a pre-ticked box or an “I agree” button as a means of obtaining legal consent for the processing of personal data under the GDPR. – Increased territorial application: The GDPR will apply to the processing of personal data of EU citizens, wherever in the world that processing takes place. This means that global companies must apply the GDPR to their processing activities wherever they are operating in the EU. – Increased fines: Data protection authorities will be able to fine organizations up to €20 million or 4% of annual global turnover, whichever is greater, for serious breaches of the GDPR. – New rights for data subjects: Data subjects will have new rights including the right to be told if their data has been hacked and the right to be forgotten, which entitles people to have their data erased.
Who does GDPR apply to?
The GDPR applies to any organization that processes data generated from individuals that are located within the EU. If a company is based outside of the EU but offers goods or services to individuals within the region, then it is required to comply with the GDPR as well.
What is required of companies under GDPR?
The GDPR maintains the same goal as its predecessors: to protect EU citizens’ rights to privacy and data security. The GDPR will likely impact all industries, including health care, government, financial services, and insurance, as well as marketing and advertising companies. If a business collects or uses customer data, it must comply with the GDPR. Large enterprises will have to appoint a chief data officer, while smaller companies will have to designate a person responsible for data security and management. In addition, companies must provide better notification to customers regarding how their data is being used and keep that data up-to-date. The GDPR also specifies that data has to be kept in a secure environment and only used for the purposes it was collected for.
Storage and Protection of Data
Organizations that collect personal data from EU citizens must be able to demonstrate that they are handling and storing the information in a secure manner. This includes implementing appropriate data protection technology and infrastructure to ensure that the data is encrypted, only accessible to those with permission, and regularly audited for signs of tampering or malicious activity. Organizations must also be able to prove that they have the right to keep hold of the data in the first place. This means having a sound rationale for why they need the data, who it will be shared with, and how long it will be retained for. Under the GDPR, data has to be deleted as soon as it is no longer needed. Companies will therefore have to delete any data they have stored that does not relate to any ongoing contractual relationships or legitimate interests.
Limiting the Use of Data
The GDPR encourages data minimization, meaning organizations should only gather the data they actually need for the purposes of the contract being fulfilled. Any further collection or retention of the data must have a lawful basis such as contractual necessity or compliance with regulatory obligations. Organizations can minimize their data collection by limiting their use of cookies and collecting only the information needed for the transaction to be completed. For example, if a company needs to collect a person’s name and email address in order for them to sign up for a newsletter, the website should only request this information.
Conclusion
The GDPR places greater emphasis on the security and protection of personal data, which is fair considering the state of cybercrime and data breaches we see today. Businesses must now follow strict rules when it comes to handling and storing personal data. If they fail to comply with the new regulations, they could face fines of up to €20 million or 4% of their annual global turnover, whichever is greater. For many businesses, the GDPR marks the end of the unregulated era of data collection and use. For individuals, the GDPR spells more control over how their data is handled and a greater expectation that businesses will keep their data secure.
