General Data Protection Regulation, or commonly known as GDPR, will basically overhaul how businesses process and handle data.
To keep up with the huge amount of digital data being created, Europe’s data protection rules across the continent have been re-written and have been enforced from May 25, 2018. The new mutually agreed European General Data Protection Regulation (GDPR) will update personal data rules and will bring outdated personal data laws across the EU up to speed with the digital era. The previous data protection laws were put in place during the 1990s and haven’t been changed much ever since, while technology has advanced rapidly throughout the years.
GDPR will alter how businesses and public sector organizations can handle the information of their customers, while on the other hand it will boost the rights of individuals and give them more control over their information.
What is GDPR?
The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive. The GDPR website says the legislation is designed to “harmonize” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information. After more than four years of discussion and negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016.
Is my startup impacted?
Yes. Individuals, organizations, companies and even startups that are either ‘control’ or ‘process’ personal data will be covered by the GDPR. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
GDPR covers both personal and sensitive data. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address, etc. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
What’s the difference now?
In the GDPR document, there are 99 articles setting out the rights of individuals and obligations placed on organizations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organizations to obtain the consent of people they collect information about.
While market analysists predict that large companies and organizations will understand the chances and will be more efficient, they predict that startups, while they’re at a growth phase will face bigger challenges.
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
In the last 12 months, there’s been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details. Under GDPR, the “destruction, loss, alteration, unauthorized disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator.
This can include but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The authorities have to be told about a breach 72 hours after an organization finds out about it and the people it impacts also need to be told.
The Data Protection Officer
For companies that have more than 250 employees, there needs to be a documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Additionally, companies that have “regular and systematic monitoring” of individuals on a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO).
For organizations actions covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. There’s also a requirement for businesses to obtain consent to process data in some situations.
Free access to your data
The GDPR also gives individuals a lot more power to access the information that’s held about them. Under the GDPR, requests for personal information can be made free-of-charge.
When someone asks a business for their data, they must stump up the information within one month. Everyone will have the right to get confirmation that an organization has information about them, access to this information and any other supplementary information.
The new regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.
Millions in Fines!
If an organization doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.
The fines could result in up to €10 million or two percent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four percent of a firm’s global turnover (whichever is greater).
While the fines are extensively larger than the fines with the previous regulations, market experts say that the idea is not to earn money from the process but basically keep companies under pressure about the importance of protecting user data.
How to prepare your business for GDPR
When implemented, GDPR will have a varying impact on businesses and organizations: for instance, not every company will require a data protection officer. However, it’s important to making senior business leaders aware of the regulation, determining which info is held, updating procedures around subject access requests, and what should happen in the event of a data breach.
Businesses already complying with the current data protection law in various European Countries, its highly likely they will be meeting many of the GDPR principles.
Tech companies are highly impacted
Although the company might be with company HQ in the US when users are registered to an office within Europe – often this is in Ireland – they will be covered by the new regulation.
On the other hand, we see cases like Facebook, which has quietly decided to move around 70 percent of its users to be registered in the US, instead of Ireland. This means they will be out of the scope of GDPR’s requirements. The company says it is giving everyone the same privacy protections – no matter where they live or are registered.
Google has also issued notifications to all of its users reminding them to update their setting and review what data is collected about them. It has also updated the settings around its ads as well as building a page for the businesses it works with.
In case you need more
If the article doesn’t cover all your question there are some incredibly useful resources available.
– The full regulation. It’s 88 pages long and has 99 articles.
– EU GDPR is full of information on the regulation.
– The GDPR Challenge, an excellent resource on becoming a GDPR Grandmaster.