In May 2018, the new General Data Protection Regulation (GDPR) will come into force, an updated framework for European-wide data protection legal policy in all EU member states. The new laws have been developed to replace the 1955 Data Protection Directive. The regulation is designed to give greater protection and rights to individuals, and to give people more say over what companies can do with their data. The regulation is already producing a lot of noise in many areas. It seems that there is a lot of information available but what we all really want to know is: what exactly is GDPR and how will it impact technology companies and more importantly their clients?
GDPR - The details you need to know now
Strictly speaking, GDPR has already been in force since May 2016 but many organisations are only fully obliged to apply the regulation from 24th May 2018. This two year transition period has given businesses time to prepare for the changes. According to the regulation, companies will have to get explicit permission from their customers before they can use their data in any way. They will also need to be able to provide clear information about what the data is being used for and how it will be stored and processed.
The implications of GDPR for businesses, of any size, are two-fold. Firstly, they will need to assess their current data collection and storage systems to make sure they are ready for the new regulations. Secondly, they need to put in place new internal processes and update staff regarding how they access and share data.
There will also be a few changes regarding international organisations with head offices outside of the EU. From May 2018, the ‘principle of the market location’ applies instead of the domicile principle. This means that local or national laws will no longer be prioritised over European regulations. Businesses who continue to offer services to EU citizens now need to strictly observe GDPR as implemented in the respective target country.
Article 12 of the new regulation also sets stricter information duties. Companies have to inform users about data processing and how long data is stored. There is also a disclosure requirement regarding the data storage length or transfer to third parties. These information duties come along with rules concerning information, revocation as well as erasure. Individuals are entitled to erase data, which is known as the “Right to be Forgotten”. They have the right to demand that their data is deleted if it is no longer needed for the original purpose and individuals can withdraw their consent for their data to be collected at any stage of the process. The controller is responsible for notifying other organisations to delete any copies of data, as well as links to the data.
In contrast to the “Right to Block” of personal search engine results postulated by the European Court of Justice, the GDPR refers to erasure directly at the place, which is storing the data. In future, there is even a duty for businesses, which had previously published data about a person, to also inform other places, which had also processed the data, about the erasure entitlement of the individual person. The ‘Right to Erasure’ gives individuals the right to have the knowledge of the exact details an organisation holds about them and entitles the individual to request that any of this information be deleted if they feel that their rights to privacy are being infringed.
This new EU General Data Protection Regulation is not a re-invention of existing data protection rights, it only has a new emphasis. From 2018 onwards, organisations face more duties and risks. They not only have to be knowledgeable about where, when and which data is being processed, they possibly also have to document their processing activities.
So how can technology companies and their clients prepare for GDPR?
‘Fail to prepare, prepare to fail’ is a phrase which is particularly fitting when it comes to GDPR. When starting preparations, firstly, organisations should undertake an analysis of which type of data processing takes place in each area of operation. When processing and storing staff data, is the data handled on behalf of a third party, or is there collaboration with subcontractors and who may have visibility of the data?
Following the analysis, there should be control and evaluation of the data processing. This evaluation should conclude whether the new data regulations are being met. In addition, it will be good practice to check if existing order processing agreements, data protection notices and consents comply with the new regulation.
The risk of non-compliance is now considerable. In the past, fines have been rare. However, the fines outlined in article 83 and 84 of GDPR offer a whole new dimension in the data protection world. Organisations will be faced with tougher fines if they do not comply with the new regulation. For example, if a business requires a data protection officer but does not have one, if an organisation does not process an individual's data in the correct way, or if there is a security breach, the business will be fined. The figures mentioned are around 10 million Euro or 2 per cent of the businesses worldwide turnover for small organisations, or 20 million Euro or 4 per cent of the worldwide turnover for larger organisations.
Is your business GDPR ready?
There is clearly vast amounts of information saturating the market when it comes to GDPR and the implications of the new regulation. Whether small or large, businesses need to act now in order to avoid fines of up to 20 million Euro for non-compliance. To avoid these penalties and ensure businesses are ready, they need to focus on taking stock of their data and assess their processes in which information is stored. From May 2018, when GDPR comes into full force, organisations will need to be more transparent in how customers data will be stored and processed.
Dominik Birgelen, CEO, one click AG
Image source: Shutterstock/Wright Studio