General Data Protection Regulation, or GDPR, is coming into action shortly. Here is what it means and how it will impact individuals and businesses.
General Data Protection Regulation.
In January 2012, the European Commission planned to reform data protection across the European Union to make Europe ‘fit for the digital age’. Almost four years later, a consensus was reached about what that involved and how it shall be enforced.
The introduction of the General Data Protection Regulation (GDPR) is one of the key components of the reforms. This new EU framework applies to organisations in all member states and has certain implications for businesses and individuals across Europe, and further.
In simple terms, GDPR is a new set of rules designed to give EU citizens more control over their data. The aim is to streamline the environment for business, so companies and citizens can take advantage of the digital economy.
The reforms are designed to reflect today’s world and update laws and obligations across Europe. This is important as almost every aspect of our lives revolve around data – social media companies, banks, retailers, governments, etc all store your personal data.
Under the conditions of GDPR, organisations must ensure that personal data is legally collected and under strict conditions. Those who collect and manage data are obliged to protect it from misuse and exploitation and respect the rights of the data owners. Failure to do so will lead to penalties.
GDPR applies to any organisation operating within the EU and organisations outside the EU which offer goods/ services to customers or businesses in the EU. This means almost every main corporation in the world must ensure their GDPR compliance strategy is prepared for when it comes into effect.
There are two types of data handlers which the law will apply to: ‘processors’ and ‘controllers’. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.
GDPR places legal obligations on a processor to maintain records of personal data and how it is processed, providing a higher level of legal liability if the organisation was breached.
Controllers will also be required to ensure all contracts with processors follow GDPR.
The type of data considered personal includes name, address, and photos. This definition extends to IP addresses and sensitive data such as genetic data, and biometric data which could be processed to identify an individual.
GDPR will apply across the EU from 25th May 2018, and all member nations are expected to have transferred it into their own national law by 6th May 2018.
From the 25th May 2018, all organisations are expected to be compliant with GDPR.
The slim-lining of data legislation with GDPR is hoped to bring benefits to businesses. “By unifying Europe’s rules on data protection, lawmakers are creating a business opportunity and encouraging innovation,” the European Commission says. This means regulation will assure data protection safeguards are built into products and services in the earliest stages of development to provide ‘data protection by design’.
One of the major changes GDPR will bring is providing consumers with the right to know when their data has been hacked. Organisations will be required to notify the appropriate national body as soon as possible to ensure citizens can take appropriate measures to prevent their data from being abused.
Consumers are promised easier access to their own data in relation to how it is processed, with organisations needing to detail how they use consumer information in a clear and understandable way.
GDPR is also set to bring a ‘right to forget’ process, which allows people who do not want their data processed to have it deleted, providing there is no ground for retaining it.
Organisations must keep these consumer rights in mind once GDPR comes into action.