What? The General Data Protection Regulation (GDPR) is the new legislation from the European Union which replaces the 1995 Data Protection Directive (DPD).
The DPD consisted of a now-outdated set of laws designed to protect the personal data of UK citizens. The GDPR make data protection rules standard across the board (Europe).
When? The GDPR comes into effect on 25th May 2018, and even though the UK is leaving the EU, the GDPR will take effect before the two-year timeframe of Article 50 meaning businesses will still need to conform to new regulations in the meantime. CTO of Virtuoso, Greg McCallum says, It’s essential that your IT systems meet the technical requirements of GDPR before the regulation comes into effect.
Proper data governance is only possible with a well-designed, well-managed infrastructure platform that is both agile and stable. We can help you bridge that gap, saving time and money, to ensure your company can become compliant as soon as possible.
Why? The reason for the new legislation comes from an urgent need to update current regulations in the digital age.
The EU wants to ensure that individuals have more control over how their personal data is being seen, used and stored. Many online companies only allow the use of their services once people have submitted personal information.
The DPD came into play before cloud technology and the internet meant that peoples data could be exploited in different ways.
The GDPR aims to tackle the privacy challenges in the new digital economy by improving the levels of trust amongst its data holders and givers. Also by making the data protection law identical across the single market, the EU aims to give businesses an easier, clearer legal environment in which to operate.
How? The GDPR applies to the ͂Controllers̓ and ͂Processors̓ of data. A controller states how and why the data is processed, and a processor does the actual processing of said data. The new changes will affect all companies who deal with EU data even if the companies themselves are based outside of the EU. Under the GDPR controllers must keep accurate records of consent from individuals in relation to data storage, the format for consent being given changes under the GDPR, individuals must give consent in an active way rather than the passive way under some models (pre-ticked boxes are an example of this). Individuals are free to withdraw their consent at any time.
Companies that currently use passive ways of obtaining consent must ensure their data collection method is updated before the 2018 inception date or else must stop collecting data.
Data controllers must allow for individuals to access their personal data and comply within one month of the request. It is up to the controller to ensure that people can securely review the information a controller holds about them and the processors and controllers must be able to clearly explain how and why their data is stored and processed. People will now also have the right to request their data is deleted if it is no longer necessary, this is now known as the right to be forgotten. This will affect the controllers whose responsibility it will be to inform other organisations to delete any links to copies of the data in question. If a person wants their data to be moved elsewhere the controller must conform to this request within one month. It is each companies responsibility to inform their data protection authority of any data breach that might cause a risk to peoples rights and freedoms within 3 days of the company being aware of the breach. Harsh penalties will be in place for those who fail do comply within the deadline. Data protection authorities can issue penalties of up to €20 million or 4% of your global annual turnover (whichever is greatest) for any company or organisation who fails to comply with the new regulations set out in the GDPR.
Concerns? One of the biggest changes of the GDPR compared to the DPD is that what can be defined as ͂personal data̓ now encompasses IP addresses, economic and cultural information, and even mental health information. Anything that previously counted as personal data under the DPD still stands under GDPR. Data audits must take place to meet GDPR requirements, this may cause issues for some companies as they will have to ensure that they are aware of and have access to a full and accurate list of data-storing assets. Ultimately, the sooner companies conform to the new legislation laid out in the GDPR, the better to avoid heavy penalties and leave themselves open to risk.