The countdown has begun! Data protection law in Europe is about to change significantly by strengthening the rights of individuals and increasing the obligations on organisations. Are you GDPR-ready?
Data is everywhere and everything in today’s world. We are all agents of a digital and online revolution that’s driving change in our economies and societies at an unprecedented pace. Maintaining control over our digital identity and knowing how we are tracked and monitored have become fundamental issues for us as human beings.
In Europe, each individual enjoys a specific right to have their personal data protected under Article 8 of the EU Charter of Fundamental Rights. Personal data is information about a living person – their name, phone number, email address, purchasing records, health records – anything specific to them as an identifiable individual.
The EU Commission is seeking to enhance current data protection legislation and the protection afforded to every European with the introduction of the General Data Protection Regulation (GDPR). It’s a new law which comes into force in each member state on May 25th 2018. It means every organisation, business or public sector body that processes the personal data of individuals needs to get ready! The GDPR has extra-territorial reach too. Any online company targeting sales or services at European users is also covered by the regulation’s remit.
Making all the headlines in relation to GDPR are the sanctions and fines that can be levied by the data protection authority of each member state. Companies can be fined 4% of annual worldwide turnover or up to €20 million if they are deemed to be non-compliant with the new Regulation. There will also be a new Europe-wide right of compensation for individuals whose data is misused. It’s a worrying prospect for any business but there’s lots that can be done to ensure your organisation avoids a serious breach of the law and a painful penalty.
Some of the preparation necessary for GDPR is common sense. The new law is based on the same data protection principles we are all familiar with. When handling personal data an organisation needs to obtain the information fairly by giving notice of what they are collecting and why; use the data for only the specified purposes; keep it safe, secure and up to date including not disclosing it to unauthorised third parties; retain it for only as long as necessary and give a copy of their data to any individual that requests it.
But the real game changer lies in the new accountability and transparency requirements under GDPR. It’s thought this will drive the most significant new behaviours by organisations. Management will have to know, document and complete due diligence on the personal data processing operations and data governance of their business. GDPR demands a risk-based approach that will force organisations to carefully step through the analysis and consider mitigating measures if they want to stay in compliance.
Other new requirements under GDPR include the need to demonstrate data minimisation; privacy by design and default in any new product development process; appointing a Data Protection Officer; reporting data security breaches on a mandatory basis to supervising authorities within 72 hours; and deciding whether data protection impact assessments are required when starting any new processing activity, particularly relating to new technologies. It is believed all these aspects will drive data protection to become a central compliance activity in organisations.
Experts also argue the GDPR will create a new market of data privacy differentiation where companies can distinguish their product or service by the privacy it offers to consumers. And there can be no shortcuts to success! Businesses will find it more difficult to rely on ‘consent’ as a legal basis for processing data as there will be stricter rules around obtaining a valid consent and individuals must be able to withdraw their consent at any time. Public bodies too will no longer be able to rely on “legitimate interest” as their sole basis for processing personal data.
There can be little doubt the GDPR is going to change behaviours and drive new standards. Each company will have to consider how the enhanced rights of individuals will impact specific operations across their entire organisation. From marketing departments to HR, product design to IT. Policies and procedures will have to be in place with regard to data ownership to enable individuals to access their data, rectify their data or exercise their right to erasure. Individuals can also restrict processing, object to processing, request data portability and have the right not to be evaluated on the basis of automated processing. If your company processes children’s data you will also have to ensure there are adequate systems in place to verify individual ages and gather consent from guardians.
With the countdown to May 25th, 2018 well underway, the new obligations under the GDPR can seem overwhelming. If you feel that way you’re not alone! Surveys conducted with 12 months to go suggested an average of just one in five small to medium sized businesses had started to prepare. But the clock is steadily ticking and the race to be GDPR-ready is on. Don't waste time, contact us.
Advanced Metadata’s software solutions can get you over the finish line!