The General Data Protection Regulation (GDPR), will enter into force in the second quarter of 2018, with the aim to strengthen and unify data protection inside the European Union. New laws on data protection and privacy will bring some new challenges and a whole new set of great opportunities.
The GDPR principal aim is to give citizens more control over their personal data and simplify life for companies, both European and international ones, by harmonizing and unifying the regulation within the EU. Adopted on April 27, 2016, after more than four years of discussion, GDPR replaces the Data Protection Directive 95/46/EC and is now in a transition period that will be terminated on May 25, 2018, when it will become enforceable.
The GDPR introduces new responsibilities on data controllers (particular emphasis is placed on the documentation that data controllers are required to keep to demonstrate their accountability) and processors, such as stricter rules on customer consents, new deadlines for reporting data breaches, the right to erasure / right to be forgotten, right to get access to your data (within one month, free of charge), right to restriction of processing and right to data portability. Basic data that is usually required to perform daily online actions like booking a flight, opening a bank account, requesting the issue of a credit card, registering on a new online platform will be further considered personal data.
Returning to the novelty introduced with GDPR, one of the most discussed elements are the sanctions that regulators can apply to firms that do not comply with the new regulations. Depending on the kind of infringements from not processing personal data in the correct way to security data breaches, companies can be obliged to pay fines of up to €10 million or 2% of company’s turnover (whichever is higher), or fines of up to €20 million or 4% of a firm’s global turnover (whichever is higher) in the worst of the cases.
To avoid any issues businesses should now move quickly and take the required actions before it becomes too late. The Information Commissioner’s Office in the United Kingdom (ICO) created useful 12 steps guide that can help to further understand the different points and get prepared for the new changes. In that sense, the important point is to understand if your company needs to formally designate a Data Protection Officer (DPO).
The DPO is a role that will be required for:
– public authorities;
– organizations that carry out the regular monitoring of individuals on a large scale;
– organizations that carry out large-scale processing of particular categories of data like criminal convictions or health records.
For further reading on this, we suggest taking a look at the European Union’s official website for the GDPR, as well as at the full regulation published on 27 April 2016 on the EU’s journal: regulation (EU) 2016/679 of the European Parliament and the Council of the European Union.