The EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) is coming in to force on 25th May 2018. So, what should we know?
The EU General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14th April 2016, after several years of debate and preparation. From 25th May 2018 the GDPR will come in to effect.
What is the GDPR?
The EU GDPR replaces the Data Protection Directive 95/46/EC, the purpose is to harmonize data privacy/protection laws across Europe, ‘to protect and empower all EU citizens data privacy and reshape the way organisations across the region approach data privacy.’
Here’s a quick summary, from a user perspective, of what will happen:
- Organisations will be held accountable for not processing your data responsibly according to new EU regulation.
- Companies will no longer be able to use long and illegible Terms and Conditions. T&Cs must be written in an intelligible and easily accessible form.
- Further to this, the request for consent to process your data must be clear and attached to the Terms and Conditions.
- If your data is compromised, organisations must inform you within 72 hours of first becoming aware of the breach.
- You have the right to know if your data is being processed, where and for what purpose. You can obtain all of this information for free.
- You have the right to be forgotten. You can inform a data controller that you wish for all of your personal data to be erased, dissemination and processing by third parties must cease.
What happens when the United Kingdom leaves the European Union?
If you process data about an individual, in the context of selling goods or services to citizens within the EU, then you must comply with the GDPR. Even if the UK does not retain the GDPR post-Brexit. If your activities are only limited to within the UK, the position isn’t clear. The UK Government is due to publish the European Union (Withdrawal) Bill. One of the actions of this Bill will be to bring in all current EU Laws in to UK Law. So the GDPR will stand, provided the Government makes no further changes. The EU expect any changes in legislation to reflect the EU law, as the these changes must comply with existing EU regulations so that the EU digital market can be accessed by UK businesses.
Who is affected by the GDPR?
Not just companies and organisations located within the EU, but any organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU data subjects. GDPR applies to all companies processing and holding the personal data of anybody (a data subject) residing in the EU. This is irrespective of the company’s location.
What are the penalties if I don’t comply with the new law?
Organizations can be fined up to 4% of annual global turnover, or €20 Million. Depending on which figure is higher. This is the maximum fine for the most serious infringements, such as ‘not having sufficient customer consent to process data or violating the core of Privacy by Design concepts’. The fines will be tiered and the fine imposed will depend on the severity of the breach.
What is the difference between a data processor and a data controller?
A controller is ‘the sole entity that determines the purposes, conditions and means of processing personal data’ whilst the processor is ‘an entity which processes personal data on behalf of the controller.’
What constitutes personal data?
‘Any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person.’ This is anything that can explicitly identify a person, e.g. a photograph, an email address, a persons bank details,
What are the conditions for giving consent to data processors?
The conditions for consent have been strengthened, according to the EU. Companies will no longer be able to utilise long, illegible terms and conditions full of legalese (technical language of a legal document). Hence the request for consent must be given in an intelligible and easily accessible form, the less complicated reading conditions will contain a clause for data processing – this is where the user gives their consent for their data to be processed.
The consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. The ideology is that ‘it must be as easy to withdraw consent as it is to give it.’
Does my organisation require a Data Protection Officer?
In the case of:
- Public authorities
- Organisations that engage in large scale systematic monitoring
- Organisations that engage in large scale processing of sensitive personal data
You must appoint a DPO.
If your organisation fits in to none of the above categories, you don’t need to appoint a DPO.
For more information, you can read the new regulation in full on the EU GDPR website.