What is the GDPR and what does it change?
The General Data Protection Regulation (GDPR) is the European Union’s (EU) new data protection law that comes into effect on 25 May 2018.
Implemented throughout the EU, it governs all businesses operating within the union and embed a more consistent approach to data protection. Companies that trade with EU-based businesses are also impacted and need to know what’s changing and how to comply.
So why is data protection legislation transforming?
Since 1995, the Data Protection Directive (Directive 95/46/EC) has determined how individuals’ personal data is protected within the EU. However, since its inception there have been vast developments in the sophistication and scale of data creation and gathering – for example through the emergence of social media, cloud computing and geolocation services. As the directive predates these developments, it’s no longer suitable to govern the current data landscape; it needs to be refreshed to address modern privacy concerns and facilitate consistency across the EU. This is what the GDPR does.
The new regulation introduces a huge range of changes. Underlying this shift is the EU’s ongoing agenda to safeguard its citizens and their private information. The GDPR establishes new rights for individuals and strengthens current protections by applying stricter requirements to the way businesses use personal data. If they fail to comply, the sanctions are significantly larger.
What this means for your business
The GDPR is a valuable opportunity to understand your business’s data and use it more effectively. However, it requires strict adherence to the new regulation and a clear understanding of the changes in order to avoid large penalties.
First, it’s critical to be aware that the GDPR supersedes all existing data protection acts, and that it increases businesses’ obligations around data protection and their accountability for failure. It also applies across the full spectrum of data engagement – from the collection of personal data through to its use and disposal. Your organisation needs to embed policies and procedures to ensure that it monitors its GDPR controls and documents its compliance.
The new rules apply to organisations of any size that process personal data. Whatever the nature of your organisation, the GDPR has a substantial impact.
Understanding the core changes
The GDPR introduces wide-ranging changes that require thorough understanding, internal stakeholder acceptance, appropriate preparation and implementation across the whole business. To provide an overview, we’ve addressed some of the key changes here.
Better rights for data subjects
The largest shift is that individuals benefit from greatly enhanced rights, for example, the right to object to certain types of profiling and automated decision-making. Consent requirements are also more stringent. Consent must be explicit and affirmative, it must be given for a specific purpose and it must be easy to retract. Individuals can also request that personal data is deleted or removed if there isn’t a persuasive reason for its continued processing.
Organisations have far more responsibility and obligation. They need to publish more detailed fair processing notices – informing individuals of their data protection rights, explaining how their information is being used and specifying for how long. The new regulation also embeds the concept of privacy by design, meaning organisations must design data protection into new business processes and systems.
Formal risk management processes
Organisations must formally identify emerging privacy risks, particularly those associated with new projects, or where there are significant data processing activities. They must also maintain registers of their processing activities and create internal inventories. For high-risk data processing activities, Data Protection Impact Assessments (DPIAs) is mandatory. It is also compulsory to appoint a Data Protection Officer (DPO).
Reporting data breaches
As part of the drive for greater accountability, data breach reporting has became stricter. If a significant data breach occurs, it must be reported to the Data Protection Commissioner within 72 hours and, in some cases, to the individual affected without undue delay.
Penalties for non-compliance with the GDPR are risen considerably, up to €10 million or 2% of annual global turnover (whichever is greater) for minor or technical breaches, and €20 million or 4% of turnover for more serious operational failures.
Data processing requirements
The regulation also imposes new requirements on data processors, and includes elements that should be addressed contractually between data processors and data controllers.
To discuss how we can help your business understand its GDPR requirements and become compliant with the new regulation, get in touch with one of our member firm specialists.