In 2016, the EU adopted new data protection legislation that will replace the current data protection laws currently in force within Europe. The new regulation is known as the General Data Protection Regulation (or GDPR in short) and is hailed as the biggest change in data protection law in the EU in the last 20 years. The new laws cover numerous key issues relating to personal data stored and used by business, but also (finally) harmonises the all the different shades and colours that exist today within each member state into one uniform set of rules for all businesses.
The new GDPR regulations will replace the existing data protection laws within the EU (known as Directive 94/46/EC) on the 25 May 2018. On this day, the new laws will apply, which means that you are expected to review and comply your business between now and then.
Does it apply to me?
GDPR applies to all organisations operating within the EU and processing personal data of EU citizens. By personal data we mean any information that is collected, stored or used by your business that relates to identified persons, such as your customers or sales leads.
What does the new law say?
The new regulations amplify on the previous data protection laws by giving new rights to citizens as well as new obligations for organisations in terms of how they use personal data. GDPR also establishes penalties in the form of fines of up to 4% of annual global turnover for infringements. It is also important to note that these penalties also apply to both data owners (controllers) as well as handlers (processors). This means that cloud solutions are not exempt and must be considered as an integral part of the whole business data landscape.
Although the key principles of data privacy to protect personal information remains unchanged from the previous laws, many changes have been introduced covering policies to be adopted by businesses to achieve compliance. Here are some of the most important:
The new laws now cover all businesses processing data of EU residents, regardless of their location. This means that GDPR now also applies to organisations established outside of the EU where they are serving or collecting data from customers within the EU.
A key compliance condition established by GDPR is the need to obtain clear consent from individuals when collecting their data. The consent must inform people of the purpose for the holding of their data and must also enable them to grant, deny as well as withdraw their consent at any time in the future. The wording of such a consent should not be hidden in long and complex legal small print, but must be presented in an easily readable form.
In the case that a data breach occurs, you are now required by law to inform the data protection authorities without the delay. Third party data processors, such as your cloud vendor, is also required to inform data controllers (your organisation) if their become aware of any data breach immediately.
An individual will now have the right to be “forgotten” by an organisation, forcing it to erase their personal data entirely. The right to erase their data is triggered upon a request by the individual, but also in the case that the original purpose for processing their data changes.
GPPR proposes a new common data format that can be used to transmit personal data back to customers should they request it. It will now be a right for any individual to request a copy of their data as held by an organisation.
The need for organisations to think of ways to keep customer data private and safe is now also enshrined into the law. Techniques and technologies such as data encryption and access control are some of the measures organisations may take to “implement appropriate technical and organisational measures … to meet the requirements of this Regulation and protect the rights of data subjects”. This effectively means that an organisation must think long and hard about how it keeps and handles personal data as any careless or inappropriate processes may constitute a breach of their data security standards.
What’s the Next Step?
Webcraft welcomes the introduction of the new GDPR as it removes ambiguities and loopholes that previously caused confusion in the way organisations should manage personal data. We believe that the new regulations will help protect citizen’s information on the Internet as well as within organisations in general.
Get in touch with us today to find out more about how we can assist your organisation.
Learn more about GDPR at eugdpr.org