After 4 years of drawn-out negotiations, the European Parliament ratified the EU General Data Protection Regulation (GDPR) on April 14th.
According to a statement by the European Commission, “The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”
The GDPR is the most significant change in data protection legislation since 1995, when the internet was in its infancy. It’s designed to empower European consumers by giving them back control over their data and boost business growth by removing barriers that restrict data flows; the EU estimates business savings of € 2.3 billion a year!
What is it?
The creation of a single harmonised set of data protection rules across the 28 member states of the EU would replace all local national data laws and the 20 year old European Data Directive EC 95/46/EC. There appear to be at least 50 exemptions allowing member states options on how they choose to apply the rules, ranging from the consent age for children agreeing to data being processed (13 to 16 years) and rule enhancement of employee data.
The GDPR will be compulsory from April 2018, and will be enforced by national data protection authorities, but supervised by a single authority. As it is a ’regulation’ rather than a ’directive’, it means it will be directly applicable to all EU member states without the need for national implementing legislation.
Between now and then member states have two years to apply the regulation which should give sufficient time to ensure the new rules are correctly implemented and for companies to adapt to the new rules.
How will this new EU data protection law affect businesses around the world?
Well, for starters, it’s applicable to any company, no matter its size, who processes EU citizens’ personal data, regardless of where the companies are located.
Were you aware of this? Apparently not, according to research conducted by TRUSTe (a data privacy management company) among those who should have in the US, UK, Germany and France last autumn.
Awareness was highest amongst financial services companies (58%) and lowest amongst tech companies (43%), some of the highest users of data! Of those who were aware, 83% had already allocated a budget to address the changes required, whilst 65% were actively preparing for the regulation ahead of the final draft being approved.
Secondly, companies will face mammoth fines for breaching the new regulation. Non-compliance means fines of up to 4% of global revenue for the previous year (so, already declared!) or €20 million (£15.8m/US $22.7m) depending on which is greater. To contextualise the magnitude of the fine – in the UK, the maximum current penalty stands at about £0.5m.
What else do I need to know?
Well, its great news for consumers and maybe not so good for businesses, depending on how savvy they currently are.
Consumers or “data subjects” will have the right to:
- “Be forgotten” – when a consumer no longer wants their data to be processed, provided there are no legitimate reasons for retaining it, they can ask a company to erase it. They have the right to be removed from the results of search engines.
- “be notified” – businesses must notify individuals earlier and in a more comprehensive manner if they process their data why their data is being collected, how long it will be kept for and to get “”clear and affirmative consent” to processing it.
- “Data portability” – allowing consumers to switch their personal data between online service providers easily.
- “Be protected” – data protection must be “by default” and “by design” for products and services, with privacy-friendly default settings the norm.
- “Access data” – free of charge within the first 30 days.
- “Direct action against companies” – data processors and controllers will have joint liability for data protection breaches.
Businesses or “data processors” and “data controllers” will have to:
- Notify any data breaches – a new requirement to inform data protection authorities of serious breaches within 72 hours, and to let consumers know where the breach may cause harm.
- Expand the definition of personal data – this specifically covers ‘online identifiers’ such as cookies and advertising IDs.
- Ensure all personal data is accurate, up-to-date and collected for a specific purpose only.
- Have enhanced individual business policies and procedures – including maintaining accurate records and systems, conducting privacy impact assessments and embedding privacy “by design and default”.
- Abide by stronger rules on the transfer of personal data outside of the EU, whereby a legal international agreement is required between the EU and the country to agree that data can be transferred there.
- Appoint a Data Protection Officer (DPO) whose identity and contact details are disclosed to consumers.
What does this mean in reality?
For those not prepared, or who assume it is just an IT issue, the risks are huge. Apart from the fine, an even bigger risk is the damage to a business’ reputation. According to Andrew Rogoyski, VP of cyber security services at CGI in an interview with the Independent newspaper, “In a world where information is the most valuable currency, maintaining customer trust will be key to ensuring business success. Businesses which can’t get data protection right will quickly undermine customers’ trust and lose to the competition”.
How can I ensure that my company is compliant?
Do you pass this simple test? If not, then you know what you’ll be doing for the next two years!
- Do you have a data protection policy in force that reflects all your business activities and is it reviewed regularly?
- Do you need all the personal data that you collect and keep? Are you and your consumers clear what you are doing with the data? Can you respond effectively to a data access request?
- Is the personal data you hold accurate and up-to-date?
- Are you keeping personal data only for the required time period? When and how are you destroying it?
- Do you have a DPO? Do your employees know who to report breaches to?
At a loss to know what to do? Then consult your national data protection body, who will be able to guide you to full compliance.