EU data protection directive enforced one month today
There’s just one month to go until the launch of GDPR, as rules on data protection and privacy look set to change dramatically.
The new laws, which will come into effect across the EU in May, have been looming since Europe’s adoption of the rules in 2016.
But despite a two-year warning period, forecasts suggest that many public bodies and businesses still aren’t ready for the changes.
And while some have bemoaned the new legislation, which affects personal data and breaches, privacy campaigners have welcomed the move.
The regulations won’t just affect those in Europe, as international businesses are expected to exercise them, too.
Here’s all you need to know about the impending laws, and how to ensure you comply with them:
What is GDPR?
The General Data Protection Regulation is a new EU law which will govern the use of personal data across the region.
It was adopted on April 27, 2016, and will come into effect on May 25, 2018.
The GDPR will replace the Data Protection Directive, which was implemented in 1995.
What does it mean?
GDPR will bring with it a host of new guidelines and laws focused on how personal data is collected inside the EU, and how it is exported outside.
Companies will have to obtain an individual’s expressed consent before collecting and using their information.
And people can request to see what data a business has of theirs, and also ask for it to be destroyed.
Importantly, it will also force companies into reporting a data breach within 72 hours – or face the consequences.
What happens if companies don’t comply?
Companies will be forced to report a significant data breach to the relevant authority within 72 hours.
If a company suffers a data breach and doesn’t report it, serious fines can be imposed.
Penalties of up to €20 million or 4% of annual turnover – whichever is greatest – can be issued if the rules are not followed.
Regular audits can also be enforced on a company, as can a ban on processing data.
However there are certain exceptions to the breach notification rules. The company doesn’t have to report the incident if, for example, the data is encrypted and isn’t legible.
Who will enforce the rules?
Each member state will appoint a supervisory authority (SA) to oversee and enforce the regulations.
This body will be given the power to conduct audits, issue warnings, impose fines, and even ban companies from processing data if they are found to be in breach of the rules.
For example in the UK, the GDPR will be implemented in law by the Department for Digital, Culture, Media & Sport but it will be governed by the Information Commissioner’s Office (ICO), headed by Elizabeth Denham.
How can I use it to protect my data?
Individuals will be required to reevaluate terms and conditions policies for any organization that processes their data, such as online shops and social media sites.
They can also request to view which of their personal data is stored, and ask for this to be removed.
I’m a business owner – what do I need to do in order to comply?
If your company either controls or processes information, there are things you need to be aware of.
The ICO has created a checklist for businesses, which you can find here to determine what steps you need to take.
You may have to update your data policy to reflect the new rules, or prepare the data you already store for a possible audit.
Companies might have to prepare themselves for data requests and will have to be aware of how and when to report a breach.
In some cases, you might also have to employ a data protection officer to ensure compliance.
And what will the government do?
Public authorities or bodies will be ordered to employ a data protection officer (DPO), who will oversee the collection and processing of information.
The DPO will be independent and will monitor internal compliance, advise on best practice, and will work together with the member states’ supervisory authority.
How will those outside of the EU be affected?
Any data belonging to a person living inside the EU will be affected by the GDPR, regardless of where the company collecting or processing it is based.
For example, an e-commerce site based in the US will be liable to these rules for those customers living inside the EU.
These companies are expected to comply with the new rules and will also face punishment if they are found to be in breach.
Have companies already started to implement changes?
Companies inside the EU have already started to make changes, and many will already have notified users or customers of the upcoming law.
You may have received emails asking you to opt-in to the new terms and conditions.
And for some, such as Facebook, the GDPR has brought about company-wide changes to block some users from being protected by it.
The social media giant has tweaked its terms and conditions so that 1.5 billion users outside of the EU will be governed under different terms and conditions to those outside of Europe.
Users in the US and elsewhere will be told to opt-in to a separate policy, which will be formed in California and will reflect US law.