The European General Data Protection Regulation presents the most significant change to data protection in the UK and EU since 1995. It's been discussed in the EU for the last four years so hopefully, they have taken that time to ensure that in practical terms it will work.
It will come into force in May 2018 once adopted, it will be the law across 26 EU states and that's one of the big differences with how Data Protection is implemented in the member states.
The need for UK businesses to comply to GDPR remain the same post Brexit, as GDPR will apply to all organizations handling data on EU citizens even if a country where the organization is based is outside the EU e.g. UK.
Image courtesy of Chris Sharp at Freedigitalphotos.net
The EU GDPR will increase privacy for individuals and give regulatory authorities greater powers to take action against businesses that breach the new law. So, what does it mean for your business?
- Big penalties - fines of up to 4% of annual global revenue or €20 million whichever is greater
- Applies to non-EU companies if they process personal data of EU individuals
- Broader definition of personal data to include genetic, cultural, economic, mental and social identity
- All international transfer of data will be under GDPR rules
- Obtaining consent for processing personal data must be clear
- Citizens have the right to be forgotten
- Parental consent for processing data on children under 16 years
- Users can request a copy of personal data in portable format
- DPO (Data Protection Officer) will be mandatory for companies processing large volumes of personal data
- Privacy risks assessments for high risk projects
- Controllers must report a breach in a minimum of 72 hours
- Data controllers must ensure adequate contracts are in place to govern data processors
- Data processors can be held directly liable for the security of personal data. There may be an overlap here with the NIS standard.
- Privacy-by-design should be considered in all aspects
So, there is a lot for a business to consider and there is also a lot at stake. In this blog series I will address the key requirements and some mitigating strategies so look out for the next installment.