The GDPR, more formally known as the General Data Protection Regulation, is something that has caused great concern amongst businesses that handle personal data. What is it? How does it change people’s rights, and what are the penalties for its breaches?
After many years of long-winded discussions, the GDPR is a regulation which will create a single set of rules across Europe in terms of data protection. The idea behind it is to make business simpler and to harmonise data protection across the European Union. The GDPR does not come into force until 25th May 2018, but will be directly applicable in all member states without any need for national legislation being implemented.
What does the GDPR Mean?
So how does it change things? The GDPR imposes tougher punishments for breaches of data protection and aims to offer more protection to those subjected to breaches.
Controllers of personal data will now have to ensure data is processed lawfully, transparently, and for a specific purpose. Consent also must be affirmative rather than passive. For example, a pre-ticked box agreeing to one’s information being shared will not amount to affirmative consent come 2018 – which would (hopefully) mean no more irritating phone calls after being involved in a minor car accident.
Furthermore, even if one consents to one’s data behind held, that consent can be withdrawn at any point, and controllers of personal data also must keep a record of how and when consent was given.
The GDPR affords people the right to access any information that is held about them and also imposes the ‘right to be forgotten’ whereby people can demand that data about them be deleted if it is no longer required for its original purpose.
The Problem of Compliance
It is all well and good giving people such rights. However, how will the GDPR ensure that these rules are followed? The severe nature of the penalties answers this question.
In fact the, severity of the penalties is one of the main reasons why the GDPR has caused much concern for businesses who hold personal customer data. The possibility of being punished to an extreme amount makes the likelihood of complying with data protection laws greater than ever before.
If a business holds personal data and suffers a breach that puts people’s rights at risk, it must notify a data protection authority (in the UK, for example, this would be the Information Commissioner’s Office) within 72 hours of becoming aware of it and also notify the people that are affected. Should this 72-hour deadline not be met, this could result in a fine of up to €10m, or 2% of global annual turnover.
Should the basic principles of processing data (such as consent rules) should not be followed, the fines are even worse – with potential penalties of €20m, or 4% of global annual turnover.
It seems safe to assume that controllers of personal data will be doing all they can to avoid such fines, which in turn enhances the protection of personal data of consumers.
The UK Question: Data Protection and Brexit
Given the significant changes and a high threshold that must be met, the implementation of the GDPR is one that is generally well underway for businesses who want to ensure that, when the regulation is implemented, they can hit the ground running and avoid severe penalties.
Does this mean, however, that the UK is free to not prepare for the changes due to its recent decision to leave the EU? Some have been led to believe that Brexit brings an end to the hurdle that is the GDPR. However, the GDPR aims to catch data controllers and processors outside of the EU whose activities relate to the offering of goods and services of EU data subjects.
This means that in practice companies outside the EU (which will soon include UK companies) that target consumers in the EU will be subject to the GDPR. Therefore the UK’s decision to leave the EU does not allow it to get off so lightly when it comes to the regulation.
The GDPR: Expectations versus Reality
What next? In short, the GDPR will, if all goes to plan, bring about greater protection of people’s personal data and creates greater punishments for not protecting people’s data. Great for the people but terrible for businesses who do not comply.The GDPR will undoubtedly create great change when it comes to Data Protection. However, businesses do in fact have time on their side to prepare for the implementation of the regulation, and it will be extremely interesting to see the whether the GDPR will be as severe as it claims to be.
The GDPR will undoubtedly create great change when it comes to data protection. However, businesses do in fact have time on their side to prepare for the implementation of the regulation, and it will be interesting to see the whether the GDPR will turn out as severe as severe in practice as it claims to be in principle.