You’ve probably read quite a few headlines recently relating to the EU’s General Data Protection Regulation (GDPR). But how much do you know about the far-reaching implications of this new legislation?
If you’re feeling in the dark about the whole thing, don’t worry, you’re not alone.
According to the Close Brothers Business Barometer – a quarterly survey of more than 900 SMEs across a range of sectors and regions in the UK and Republic of Ireland – less than a third (31%) of businesses polled answered “yes” to the question: “Are you clear what ‘personal data’ means in a business context?”
What is GDPR?
GDPR is the result of four years of work by the European Commission to update data protection laws so that they address the new, previously unforeseen ways that data is now used today.
It will come into effect on 25 May 2018 and will apply to all EU member nations. That means any businesses operating within the EU, as well as any outside of the EU which offer goods or services to customers or businesses in the EU will need to comply.
In other words, pretty much every major corporation in the world will need to be in compliance when GDPR comes into effect – that includes me and probably you (depending where you are based, etc.).
Why is it important?
GDPR is important because it is such a major shakeup and will effectively give consumers more control over how their personal data is used by organisations.
Let’s not forget that existing data protection laws were enacted before technologies like the cloud were being used in anger and before the internet created new ways for data to be exploited.
Companies like Facebook and Google swap peoples’ data for access to their services and know everything from a person’s email address to who they are currently dating.
In addition, GDPR will simplify the legal environment in which businesses operate, by making data protection law identical across the EU.
How will it affect me?
If you are a ‘controller’ or ‘processor’ of data, GDPR will apply to you.
In a nutshell, a data controller is an entity that states how and why personal data is processed. A data processor is the party that actually does the processing. So, for example, a data controller could be an organisation (a charity, government agency or profit-seeking business), while a data processor might be a third-party IT company that does the actual processing of the data.
For a full definition of each, refer to Article 4 of the General Data Protection Regulation.
Under GDPR, the definition of personal data will be extended. So, in addition to covering things like names, addresses and photos, personal data will also include information like IP addresses, genetic data and biometric data.
Once GDPR comes into force, data controllers will also be obliged to report all data breaches to their data protection authority, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. This breach notification must occur within 72 hours of the organisation first becoming aware of the breach.
Furthermore, if a breach is serious enough, the organisation must also notify the affected individuals directly in a one-to-one correspondence. In other words, it won’t be good enough to inform people via a press release, company website or social media channel.
In the UK, the authority is the Information Commissioner’s Office. In France, it’s the Commission Nationale de l’ Informatique et des Libertés (CNIL).
While the European Commission says that GDPR will save businesses across Europe around €2.3 billion per year, the associated fines for non-compliance are rather hefty.
There will actually be two levels of fines under GDPR. The first is up to €10 million or 2% of the company’s annual worldwide turnover of the previous financial year (whichever is higher), while the second is up to €20 million or 4% of the company’s annual worldwide turnover of the previous financial year (whichever is higher).
For failing to notify of a data breach within 72 hours (and other data mishandling issues), the first fine will apply. For not following the basic principles for data processing, such as consent, ignoring individuals’ rights over their data, or transferring data to another country, the second, larger fine will apply.
The full list of circumstances under which each level of fine applies can be found in Article 83(4) and Article 83(5) of the General Data Protection Regulation.
Where can I find out more information?
The UK Information Commissioner’s Office has created a handy 12-step guide to help you get up to speed ahead of the changes coming into effect on 25 May 2018: Preparing for the General Data Protection Regulation (GDPR).
Likewise, the CNIL in France has also published a guide ahead of GDPR coming into force, Règlement européen sur la protection des données personnelles.
It’s pretty heavy reading, but the General Data Protection Regulation contains everything about the forthcoming data protection changes.