The General Data Protection Regulation, or GDPR, is a European Union Regulation (2016/679) taking effect in all EU member states on the 25th of May 2018. It is a piece of legislation designed to address data protection for all EU citizens and everyone located in the EU.
It will actually affect all companies handling the data of EU citizens, regardless of whether they are based in the EU. What does this new Regulation mean for business?
Firstly, the GDPR will unify EU data regulation. This means that no matter what country your business is operating in, the processes to ensure the safe handling of consumer data will be the same. Each country will have a Supervisory Authority to regulate complaints and sanctions, and your business will be beholden to one primary Supervisory Authority which will then cooperate with others to ensure the Regulation’s requirements are being upheld.
- Data Protection Officers
In addition, large companies will be expected to hire a ‘Data Protection Officer’ (DPO). A DPO is an expert on data protection law, who’s also expected to be proficient in IT management and experienced in dealing with the issues surrounding the processing of personal and sensitive data. GDPR is opening this new role in many businesses. It will require a support team and funding, but it is integral that the DPO and their team remain independent and objective.
- Data Security
Thirdly, GDPR is placing far more emphasis on data security and storage by creating more guidelines for pseudonymisation. Pseudonymisation is the changing of data from its raw state into pseudonyms, which can then only be reverted with the help of a key. An example of this is encryption, where data is converted into fictitious values and can only be reverted with an encryption key.
- A Tightening of the Law
Overall, GDPR represents a tightening of the law. The regulation requires faster responses to breaches and larger fines for failures to comply when compared to the Data Protection Act (DPA). For example, breaches now must be reported within 72 hours of discovery, whereas under the DPA there was a far longer timescale. GDPR places ultimate responsibility on the Controllers of the Data (businesses) but is also places significantly more liability on Processors (individuals who work with the data) than under the DPA.
- Transparency with Customers
Lastly, businesses must now be far more transparent with customers about the use of their data. Businesses must communicate with their customers what exactly their data is being used for and active affirmation of consent is required to process an individual’s data. If this consent is withdrawn that individual has the right to demand all record of their data be deleted. In addition, once data is no longer required it must be deleted.