After four years of negotiations and unprecedented levels of lobbying, the General Data Protection Regulation (GDPR) is set to come into force this May. The eighty-eight-page EU regulation, which experts have dubbed the world’s strictest set of privacy rules, will set out the ways in which businesses can collect, use, manage and store personal data and those who fail to comply will incur massive financial penalties.
The regulation, which will replace the 1995 Data Protection Directive, aims to account for the substantial changes in data security that have occurred since the rise of the digital economy. The GDPR will also harmonise the currently inconsistent data privacy laws across the EU, reducing legal fragmentation and complexities for businesses operating across the continent.
Currently, organisations that process personal data in the EU must comply with the 1995 Data Protection Directive. However, the geographic scope of the GDPR will be much broader – in addition to those that are affected by the 1995 Directive, some organisations outside of the EU will also be made to comply with the new regulation. Indeed, non-EU organisations who offer goods or services to EU citizens – such as a Chinese web shop with European customers – must comply with the EU regulation. Non-EU organisations monitoring the behaviour of EU citizens will also fall under the scope of the new regulation. For instance, social media providers who allow EU citizens to join their network must be GDPR compliant once the regulation comes into force. As Stewart Room, cyber security and protection partner at PwC, explains, “this will impact every entity that holds or uses European personal data both inside and outside of Europe.” But what does the regulation require these organisations to do?
As the UK’s data protection regulator, the ICO, said, the GDPR will give EU citizens “genuine choice and control” over their personal data. Indeed, once the regulation comes into force, firms collecting any form of personal information about an individual will need to obtain their “unambiguous” consent. To lawfully gain consent, requests must be easily accessible, using clear and plain language and involve a clear affirmative action (i.e. an ‘opt-in’). Hence, organisations will no longer be able to use pre-ticked checkboxes or lengthy and legalese terms and conditions to gain consent for individual’s personal data.
EU citizens will also possess new rights under the regulation. For instance, individuals will have the right to freely access any personal information a company has held about them and will also have the right to have this information securely transferred across to different organisations or deleted altogether.
On top of this, organisations will be required to carry out data protection impact assessments if they are thought to pose a high risk to individual’s data security in order to mitigate these risks. Businesses who process sensitive data on a large scale will also have to employ a Data Protection Officer to ensure GDPR compliance. If there are any breaches of data security, organisations must inform the country’s financial regulator within 72 hours and any individuals that the breach impacts also needs to be notified in this period.
Unsurprisingly, the new regulation is set to cost businesses billions; a study from EY found that the Fortune 500 alone are estimated to spend $7.8bn ensuring their systems are compliant. In addition, financial penalties for data protection violations under the GDPR step up massively from the 1995 Directive; firms who fail to comply with the GDPR face fines of up to 4% of their global annual turnover, or €20 million, whichever is greater.
Experts believe the tough new set of privacy laws will drive up standards around the world. After all, countries outside of the EU will also need to abide by the regulation if they are handling data belonging to EU citizens and failure to comply will lead to severe financial penalties that could prove crippling to businesses.
British businesses have not escaped the regulation – the UK’s ‘Brexit’ decision will not affect the commencement of the GDPR. In fact, the UK has released its own draft Data Protection Bill – the UK data protection law will mirror the EU law once it is implemented this May. This means that after its divorce from the Union, the UK can continue to efficiently do business with the rest of the EU – at least in so far as the EU’s data protection laws will not prohibit it. So, these tough new privacy laws are here to stay in the UK. If your business is not yet GDPR compliant, the Nebula Labs team of experts can aid your firm in updating its existing systems and data structures by the May 25th deadline to avoid those hefty fines’.