Are you Ready for GDPR?
Preparing For GDPR and Data Protection Reform
Data privacy laws have been consistently intensifying in the last few decades as technology has advanced and the reach of some companies has continued to expand. In the EU, the big news is that GDPR, or General Data Protection Regulation, is going to be enforced as of May 25th, 2018.
Data Privacy Laws
GDPR is planned to bring all the data privacy laws across Europe into harmony so there is less confusion about how to protect the information of consumers. With this, there will be significant complications for businesses in the short-run, as they work to adjust their policies to be accordance with regulations.
Key GDPR Changes
The three key changes to past privacy regulations are around the increased territorial scope, the penalties levied, and the conditions for consent.
- Scope – The most important thing to realise about GDPR is that it doesn’t just pertain to EU businesses, it pertains to any businesses that provide services to and collect data on EU data subjects. This puts nearly every business under the microscope, since it is difficult to completely avoid customers from the EU.
- Penalties – The penalties can be harmful with fines up to 4% of annual global turnover. The highest fines are taken when a company does something egregious like failing to gain customer consent to process data. It is important to realize this applies to both data processors and data controllers, so “cloud” companies won’t be able to escape unscathed.
- Consent – Prior to GDPR, it would be possible to gain the consent of subjects by using hard to decipher terms or advanced legalese to confuse the consumer into acquiescing. Now, consent must be based on clear and plain language, so no confusion can result, and withdrawing consent must be as easy as it is to supply it.
Other major changes involve the mandatory notification of a breach pertaining to a consumers’ data, data portability, and the right to be forgotten. These will all require their own processes to be put in place for when a consumer makes a specific request. Additionally, companies will now require the consent of parents if the consumer in question is under the age of 16.
Preparing for GDPR
To prepare for GDPR, it is important to assess which aspects of these regulations your company is not currently in compliance with, and take measures to remediate them. Key points of interest are regarding children, consent, data breaches, subject access requests, and the international aspect of all these points. Additionally, public institutions and companies meeting other conditions will be required to appoint a Data Protection Officer (DPO), who would be in charge of addressing all these points.
GDPR Going Forward
Individuals have data rights, and the EU regulators are beginning to get very aggressive around their desire to protect these rights. Every organisation that processes personal data must be compliant with new GDPR rules on 25 May 2018 and this includes charities and voluntary organisations. Your senior staff should be aware that the law is changing and take appropriate action. If you don’t know what personal data you hold and where it came from you will need to organise an audit of your different systems and departments to find out.