A new data protection regulation from the European Union will enter into force on May 25, 2018. It’s called the GDPR (General Data Protection Regulation). The businesses that fall under this new regulation will have to meet several new requirements in relation to how they collect and use the personal data of EU citizens. You may think this sounds boring and irrelevant to your business and that 2018 is far away, but perhaps you should pay the new regulation some attention.
Here are 5 facts you need to know about the GDPR:
1. The GDPR will affect ANY business that processes personal data from European citizens, regardless of whether that organisation is established in the EU or not.
2. “Personal data” doesn’t have to be name, address, or personal ID number. The definition in the regulation means that if you store a simple social media ID on an EU citizen it can be enough to make you fall under this regulation. The definition of personal data is “any information that could be used, on its own or in conjunction with other data, to identify an individual”.
3. If your organisation does not meet the terms and is required to, it will result in huge fines. Sanctions for offences relating to control and mitigation can be up to 10 Million Euros or two percent of the total annual turnover while offences relating to rights and obligations can be as high as 20 Million Euros or four percent of turnover. You will be fined whatever amount is highest.
4. The new regulation distinguishes between data controllers and data processors (just as the current directive does today). The data controller is the organisation that determines the purposes and means of the processing of personal data while a processor is someone processing the data on behalf of others. Most modern organisations fall under the controller definition, which means that they from May 2018 will have to live up to several new data requirements. But processors will also have obligations as oppose to today where the controller has the full responsibility. E.g. processors will from May 2018 have to report data breaches and have obligation to inform the data controller if they suspect a data processing instruction to be non-compliant.
5. The new regulation is very demanding. These are the 3 most noteworthy changes:
• If you process personal data on a large scale you will have to appoint a Data Protection Officer
• Collecting consent from consumers will become significantly harder as an individual has to actively opt-in for the use of his data and you as an organisation have to be really clear about the purpose of the data collection
• The consumer will have several new rights, e.g. the right to receive easily readable information about what data you’re storing about him and to have this data corrected or deleted entirely