You might not have your business calendar planned out to May 25th 2018 but there’s a very good reason why you need to start getting organised for this date: it’s the introduction of the General Data Protection Regulation (GDPR).
So what is the GDPR? It replaces the existing Data Protection Directive (DPD) and aims to streamline and harmonise data protection laws across Europe, protecting EU citizens’ privacy and amending the way businesses store and protect user data.
Don’t be fooled into thinking that your business might not need to comply because it isn’t based in an EU country; the GDPR applies to any business that holds data on EU citizens, wherever that business might be based.
Key Differences Between the GDPR and DPD
While many elements from the DPD have been carried over to the GDPR, there are a number of changes that have been made to account for the technological strides that have been made since the DPD was conceived in 1995. Take a second to think about how much our online habits have changed since 1995 and you’ll see why the demand for a new set of regulations was so great.
Some of the key changes you’ll notice about the new GPDR are:
While the previous regulations were a little muddy when it came to what could be enforced where, the GDPR makes it simple: any business that offers a service or goods to EU citizens or monitors any behaviour that takes place within EU countries must fully abide by all GDPR regulations. No exceptions.
Conditions for Consent
Previously, companies could circumvent DPD legislation with complex and meandering T&Cs that most users would automatically skip, but these loopholes have been tightened up with the new regulations. The request for consent must now been given in a visible and easily intelligible manner. Additionally, under the GDPR it must be as easy to withdraw user consent as it is to give it.
Remember at the beginning of this post we mentioned how important it is that your business makes adequate preparations to ensure you’re ready for the introduction of the GDPR? The penalties for non-compliance will make you realise why we stressed the importance of taking time to be fully prepared.
Organisations that breach GDPR regulations risk being fined up to 4% of annual global turnover (or €20,000,000, whichever is greater). This maximum fine will be applied to those who commit serious breaches (not obtaining adequate customer content, for example), and there will be a tiered approach to tackle smaller breaches (for example, businesses may be fined 2% of annual global turnover if they fail to have their records up to date).
Some of the key changes to the regulations themselves include:
Right to Access
Putting the control back in the hands of the users, the GDPR gives users the right to find out what data is being held by organisations and both how and why it is being used. Organisations must respond to all requests with an electronic copy of all personal data (free of charge).
The right to be forgotten is covered in further detail in Article 17 of the regulations, but the basic premise is that users can instruct businesses to erase their personal data if they withdraw consent or if the data is no longer required for the original purpose it was supplied for.
Data Breach Notification
This is one in particular that businesses might need to create new processes for, and it’s an important one. All member states must be notified about any data breaches that may result in user data being compromised within 72 hours of first becoming aware that the breach has occurred, with all customers also needing to be notified as soon as possible.
Privacy by Design
While there’s nothing new about the idea of privacy by design (the notion that systems should be designed with adequate data protection in mind), this is the first time it will become a legal requirement. This is covered in Article 23 of the GDPR, which also discusses data minimisation: where only the data necessary for the completion of the service or transaction is held.
We could spend a lot longer covering the ins and outs of the GDPR, as there’s a lot of information to unpack and dissect. However, we want this post to serve as an introduction to the GDPR and will bring you more in depth posts about how your business can get GDPR-ready in the coming months.
If you have any specific requests for posts that will help your business learn more about the GDPR then please don’t hesitate to let us know.