Data security is a hot topic right now, with companies across the globe under the microscope for how they look after your data. That microscope might need to ramp up its magnification, because 2018 is bringing in a brand spanking new regulation.
What is this regulation and why do you need to know about it? I’ll tell you.
On the 14th April 2016, the European Parliament approved a new law regarding the handling of personal data. The law becomes active on the 25th of May 2018. Companies not in compliance with the new legislature could faces fines of up to €20 million, or 4% of their annual global turnover, depending on which is larger.
It’s called General Data Protection Regulation (GDPR) and it will replace the previous 1995 EU Data Protection Directive. Much has changed regarding the use of personal data since 1995, and the primary purpose of GDPR is to update the law to reflect this vastly different, data-driven climate. This means more rights for individuals, and more responsibilities for companies.
The second purpose of GDPR is to standardize data processing laws across Europe, making it easier for companies who previously had to deal with different statutes and government bodies for each country. The EU predicts this will lead to a €2.3 billion saving per year.
So, what’s changing?
GDPR for individuals
Under the new legislation, you will have much more control over the use and storage of your personal data. These new rights aim to increase the accountability of data controllers and processors in order to promote ethical, lawful and secure data practices.
Right to access: When the GDPR activates, you will have the right to demand a digital copy of all personal data a controller has concerning you, free of charge. They will also be required to disclose whether or not any personal data concerning you is being processed, and if so, where and for what purpose.
Right to be forgotten: Under certain circumstances, you will be able to request that a controller erase your data and cease its dissemination.
The conditions to be met include a withdrawal of consent, and the data no longer being relevant to the original purposes for processing. However, even if these conditions are met, the controller might still deem it in the public interest to retain the data. In this scenario, they will not be obligated to erase it.
The changes you will notice most in your daily life are the changes to consent. The GDPR sets the bar much higher than existing legislation when it comes to acceptable methods of obtaining consent.
No longer will companies be allowed to throw a 10-page legalese terms & conditions document at you and leave it at that. The request for consent must be given using clear and plain language, with the purpose for data processing clearly stated. It must also be as easy to withdraw consent as it is to give it.
GDPR for companies
All ‘controllers’ and ‘processors’ (see below for definitions) dealing with the personal data of EU citizens will be affected by the GDPR, including those not based in Europe. It will also apply to all controllers and processors in the EU, regardless of where the data subjects are.
Companies that regularly deal with personal information will be required to appoint a Data Protection Officer (DPO) who will be responsible for ensuring that the company is in compliance with the GDPR. Companies will also be obligated to disclose data breaches to their customers within 72 hours of discovering the breach.
The long and short of it is that GDPR will impact virtually any company that’s based in Europe, or has customers in Europe. If your company trades in Europe, then you will most certainly feel the impact of the GDPR.
Article 4 of GDPR gives us detailed definitions of key terms used throughout the document. As it’s not necessarily clear what’s meant by some of these terms, look below for answers:
- Personal data: “any information relating to an identified or identifiable natural person”. This includes data ranging from political opinions to ID numbers
- Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
- Processing: “any operation or set of operations which is performed on personal data or on sets of personal data”
The controller decides who processes your data, how they do it, and for what purpose. Meanwhile, the processor is the one actually interacting with the data.
What about Brexit: will the GDPR apply to the UK?
Even though Britain has triggered article 50 and will be leaving the EU, they will still be a member state when GDPR activates. This means that until Brexit is complete, handling of the personal data of British citizens will still be governed by GDPR.
However, there are a number of optional powers built into GDPR, in order to help it mesh with the different cultural expectations of various member states. The UK plans to make use of that freedom in its own Data Protection Bill (DPB). For example:
- Controllers outside the EU who are handling British data will not be required to appoint an EU representative
- British citizens who wish to make a complaint against an organization will not be able to do so anonymously
The short answer to that is yes, GDPR will apply to the UK.
So there you have it. If all goes as planned, on the 25th of May next year you will enjoy greater control over your data, while companies who deal with European data will save money and time by dealing with one law for all of Europe.
Read more: How To Generate Leads On Social Networks.