The General Data Protection Regulation (GDPR) is
the biggest change in data protection laws for 20 years, and when it comes into
effect on May 25th, 2018, it intends to give European citizens back
control over their personal data. Its impact won’t just be felt in Europe
though, as it will have wider implications for companies across the world that
hold data on the continent.
While great news for individuals, it presents
complex problems for companies. As a case in point – they could face fines
running into tens of millions of Euros if they breach the new directive. With
that in mind, we’ve put together this simple explainer to answer the key
questions.
What’s GDPR again?
It is a new set of rules governing the privacy and
security of personal data laid down by the European Commission.
The new single data protection act will make major
changes to all of Europe’s privacy laws and will replace the outdated Data
Protection Directive from 1995.
What is the point of the new laws?
They have been designed to give power back to
citizens over how their data is processed and used.
Under the new rules, individuals have “the right to be forgotten”, meaning they
will be able to request that businesses delete their no longer necessary or
accurate personal data.
Plus, the intention is to simplify the regulatory
environment.
How will this impact individuals?
As well as the right to be forgotten, the law holds
provisions that could potentially increase consumers’ rights over their data.
But there is a huge grey area about how it will
apply in reality. The laws mean that in theory someone could ask social networks
like Facebook to delete their profile entirely.
Laws relating to freedom of expression will stop
“the right to be forgotten” extending to news articles.
But there is the potential for individuals to
transfer their data from one service to another more easily – which is great
news for consumers, making it simpler to swap utilities, insurance or ISPs.
How will this impact my business?
This shake-up of data protection laws is all well
and good for individuals, but it could mean huge fines for businesses that
don’t comply with the laws.
This is because data breaches have become
increasingly common in recent years. However, giving citizens back control of their complex personal data is not
necessarily easy.
Plus working out how to give it back to them and
how to ensure it is stored adequately throughout employment and then deleted
securely is a bit of a technical and HR minefield.
How much will it cost?
The biggest change to the law is the increase in
the amount of money regulators can fine companies who do not comply – up to 4%
of their global turnover or 20 million Euros, whichever is greater.
This threat is certainly big enough to frighten
companies into changing their data dealings.
But I’m not in the EU – will it affect my
business?
GDPR has serious implications for companies in
countries outside the EU. So even if you’re based overseas, but hold data
belonging to anyone living in Europe, you’re liable.
So, in short, if you process data that belongs to
individuals living and working within the EU, you will be subject to aspects of
the directive.
What should businesses be aware of?
The Information Commissioner’s Office in the UK
recently released a set of guidelines to help businesses prepare for
GDPR.
It also recommends that companies review privacy
notices and ensure there is a plan in place that allows them to make any
necessary changes to be in compliance with GDPR.
However, it’s not too scary potentially as the ICO
insists the new measures will contain many of the same principles and concepts
as the current Data Protection Act.
Which means the companies already successfully
abiding by the 1995 legislation will probably be covered.
But there are predictions businesses will go on
recruitment drives for data protection officers – to ensure they’ve got the
right personnel in place.
What are the other potential ramifications?
Once GDPR comes in companies could see more legal
challenges from individuals and groups that take up privacy issues on behalf of
citizens.
But they may also see fewer challenges from
individual country regulators, because of a “one-stop shop” clause that would
put the onus on the regulator in the country in which the company is
headquartered to pursue legal action.
Regulators are also being given more powers to
intervene if they feel another is being too lenient.
For more information on the General Data Protection
Regulation, ESET has a dedicated page
to help ensure that when the time comes, you have everything covered.