There’s just over 12 months to go until organisations must be compliant with the EU General Data Protection Regulation (GDPR).
The GDPR will supersede the 28 current national data protection laws based on the 1995 Data Protection Directive (DPD) and will come into effect on 25 May 2018.
The Regulation will increase privacy for individuals and give regulatory authorities more power to take financial action against organisations that do not comply. It also requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
The GDPR introduces tough penalties for organisations that breach the new laws: 4% of their annual global turnover or €20 million (US$ 21.3 million) – whichever is greater.
Key changes introduced by the GDPR
The introduction of this Regulation marks the most significant change to data protection in recent years. The key changes introduced by the GDPR include:
- Scope of the new law
The GDPR applies to all organisations that collect, store or process the personal data of EU residents. Organisations outside the EU that fall into this category also have to comply with the GDPR. They will need to appoint an EU representative located in one of the member states in which the corresponding data subjects are based.
Data processors – service providers, like call centres, that process personal data on behalf of a data controller – must be able to provide “sufficient guarantees to implement appropriate technical and organisation measures” to ensure they comply with the GDPR.
- Individuals’ data rights
The GDPR enforces stricter requirements on obtaining consent from individuals for the processing of their personal data. Consent must take the form of a “freely given, specific, informed, and unambiguous indication of the individual’s wishes”. Pre-ticked boxes or inactivity will not count as consent. Organisations must keep records so that consent can be proven.
Under the new Regulation, parental consent is required for those processing the personal data of children under the age of 16. Member states can reduce this age to 13.
The GDPR gives individuals greater control over their personal data and gives them the right to be forgotten and erased from records.
Organisations must inform individuals of any profiling activities they carry out. This includes online tracking and behavioural advertising.
- Data protection
Under the GDPR, organisations must implement suitable technical and organisational measures before the processing of data begins. Data protection risks must be assessed and organisations may need to adhere to management system certifications, such as ISO 27001, to demonstrate compliance.
Data protection must be designed into processing systems and a data protection impact assessment (DPIA) is mandatory in some circumstances.
Organisations that process high volumes of personal data must appoint a data protection officer (DPO). The DPO must have the right qualifications and a good knowledge of data protection law.
Organisations must report a data breach to their supervisory authority within 72 hours of becoming aware.
- Data transfers outside the EU
The GDPR forbids transferring data outside the EU to a country that does not have satisfactory data protection.
There are a number of critical areas that organisations will need to consider to ensure GDPR compliance. With just over 12 months to go, now is the time to begin looking at what you need to do to comply.