What is the EU GDPR?
The European Union General Data Protection Regulation (GDPR) is being introduced as the next level of data protection for the internet users who live within EU.
These days so much of our information is floating around the internet with little to no way of cleaning, managing or even deleting your personal data.
Everyone until now just banks on that every site that they leave details such as name, address, date of birth, phone numbers, on is 100% safe and secure. It has become very clear that this is far from true by the steady flow of sites being hacked and data being sold on.
Currently, if any company regardless of size has a data breach, and your data is stolen, the best you get in return is a public apology on the news, and that is it.
With the new GDPR regulations that are to be set into place, it will bring new data protection legislation, meaning that stored information will be safer for consumers. Previously, we had the data protection act, which was constructed in 1998 but since then, the internet has evolved, meaning that the data protection has to be updated with it.
What about the countries outside the EU
This Regulation will also apply to Non-EU companies that process personal data of individuals that live in the EU. Countries like the USA do have a form of GDPR of their own, which means that organisations will need to upgrade their own websites and data protection systems.
As a Consumer how will this affect me
People within the EU will now have better protection of their personal data, with more control, including;
- You will be able to request a copy of all the personal data held by the company in a portable form.
- Parental consent is required for the processing of personal data of children under 16
- You will have the right to have all data held to be deleted upon request
- Obtain consent for processing personal data
As a Company how will this affect me?
Some of the key points within the GDPR that companies will have to adhere to are
- Rights of Access – Companies must be able to supply all processed personal data and how upon request.
- Right to Data Portability – Enable citizens to transfer personal data between companies upon request
- Report Data Breaches to Supervisory Authorities and individuals – Reports must be made within 72 hours of the breach
- Appoint Data Protection Officers – Certain companies will be required to appoint a data protection officer to oversee data security and make sure GDPR compliance
- Right to be Forgotten and to Data Erasure – Companies to stop processing and delete personal data upon request.
- Reasonable Data Protection Measures – Requires companies to implement a reasonable protection level of EU citizens personal data by design.
- Data Protection impact assessments – Companies should be able to identify risks and outline measures to ensure those risks are addressed.
What kind of data will the GDPR Protect
The new legislation will aim to cover as much information about consumers as possible. This will secure potentially sensitive information such as the following;
- Location data
- IP Addresses
- Cookie Data
- Health Data
- Genetic Data
- Bio-metric Data
- Racial or Ethnic Data
- Political Opinions
- Sexual Orientation
What happens if you don’t follow the GDPR regulation?
The first impact companies will face is reputation. With these new systems in place, there will be no excuses for being frivolous with user information. Users will gravitate to secure and well-managed sites so failure to comply will result in a drop in sales or visitors.
On top of the reputation risk there will be two types of very large financial penalties depending on the type of rule break of the regulation;
- Failure to comply with technical requirements such as impact assessments, breach communications, and certifications can lead to a maximum fine of 10 million euros or 2% of global turnover, whichever is greater.
- Failure to adhere to core principles of data processing, infringement of personal rights, or the transfer of personal data to other countries or international organisations that do not ensure an adequate level of data protection will lead to a tough fine up to 4% of your annual global revenue or 20 million euros, whichever is greater.
What happens when a Data Breach is discovered?
Within the 72 hours after discovering the breach, the data protection authorities (DPA) should have been notified.
A detailed report of the number of records, the measures to mitigate its possible adverse effects, the categories of data breached, and the measures are taken to address the data breach.
You should then explain the consequences of the breach and if its high risk to consumer rights and whether the owner of the data should be notified.
UK is leaving the EU does this even matter?
The GDPR will be introduced before the completion of Brexit, the UK is adopting all EU Legislations before the exit from Europe. You may find that this has been dubbed the great repeal bill. Putting aside if you are a Leave or Remain supporter, the GDPR will ensure that millions of users around the world will have a greater chance at data protection.
When does this all start to take effect?
The GDPR was passed through EU Parliament back in April 2016, the GDPR will take full effect on 24th May 2018. Make sure that if you are in a data sensitive industry, that your website and supporting technologies are ready and up to date to adhere to the new legislation being put through.