GDPR Compliance – The Changes You Need To Know
26 March 2018
The GDPR is an important set of EU regulations that come into force on the 25th of May 2018, and businesses of all sizes need to be aware of the changes that are taking place. Failure to implement the new rules could see large fines and prosecutions – ignorance will not be an adequate defence!
The aim of the GDPR is to improve the data protection rights of all EU citizens, and in this article, we outline some of the key changes that are happening, plus the advantages and disadvantages of the GDPR.
The Key GDPR Compliance Changes
Increased Territorial Scope
Any company that processes the personal information of people residing in the EU is required to follow the new regulations, regardless of the company’s actual physical location. This means that an American company using European customers data is also bound to abide by the GDPR. Non-EU businesses processing the data of EU citizens must appoint a representative in the EU.
Failure To Comply
Both controllers and processors of personal data will be liable for heavy fines under the new regulations. An organisation that breaches the rules can be fined up to 4% of their annual turnover (this is likely to occur for serious breaches such as not having customer consent to hold their data.) Smaller fines will cover things like failing to notify authorities and customers within 72 hours of data breaches, and companies not having their data protection records in order.
Personal Consent & Access
Consent must be clear and distinguishable from other matters and provided in an easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Citizens can request details of their personal information from an organisation,and the organisation must provide an electronic copy of this data without charge.
Any person can request that their personal data be erased from an organisation’s systems. A data controller must adhere to this request unless they believe that there is sufficient ”public interest in the data” to keep the information. Any data that is no longer relevant should be deleted by businesses that hold the information.
Privacy By Design
Privacy by design is a key part of a legal requirement with the GDPR. It means that the issue of data protection should be included as an essential factor when designing any new business systems or processes. Data should only be held when absolutely necessary and Data Protection Officers should be responsible for the management of this data. DPO’s must have sufficient experience in the handling of data, and they should have the knowledge and/or qualifications needed for the role. It is the responsibility of this person to ensure accurate records are kept relating to data protection.
The Advantages & Disadvantages Of The GDPR
Although complying with the new regulations will involve a lot of time and investment from businesses, the reality is that data protection has needed an overhaul for some time. Cybercrime happens on a daily basis and there have been several high-profile data breaches affecting millions of people in recent years. This affects a company’s brand and reputation, while also leaving them liable for huge compensation claims.
Put simply, businesses cannot afford to ignore data security any longer, and the GDPR will help companies to better manage this responsibility.
However, the GDPR will undoubtedly cause an increase in costs and administration tasks – consent forms will be required for every case of data processing. This could also mean that the user experience of websites will be hampered (web consent pop-ups must be implemented).
In addition, the regulations will ensure that Data Protection Officers become an integral role and an additional budgetary cost for all organisations.