In 2012, the European Commission initiated an updated data protection regulation, aimed at harmonizing data privacy laws across Europe. In 2016, the EU General Data Protection Regulation (GDPR) was passed and adopted by the Council of the European Union as well as the European Parliament.
Following a 2 year post-adoption grace period, this regulation will be enforced starting May 25, 2018, by imposing heavy fines on violators.
With this blog post, I’d like to give you an overview what this means to your business and how you can protect yourself from facing fines of up to 4% of your annual global turnover or €20 million (whichever is greater).
Territorial Scope
The GDPR will apply to all companies that collect, hold, and/or process personal data of EU residents, regardless of the company’s location.
For companies in the UK that only market to UK citizens, the GDPR might not apply post-Brexit. However, the UK Government has hinted that it will implement an equivalent or alternative legal mechanisms.
Consent
Long and convoluted terms and conditions full of legalese might now need an overhaul. Under the GDPR, the request for consent must be clear and be phrased in clear, plain language. Furthermore, it must be as easy to withdraw consent as it is to give it.
Breach Notification
Under the GDPR, breach notifications will become mandatory and must be carried out within 72 hours of first having become aware of the breach.
Right to Access
Users have the right to obtain confirmation as to whether or not personal data concerning them is being processed, by whom, where, and for what purpose. In addition, after proving their identity, they shall be provided an electronic copy of that personal data, free of charge.
Right to be Forgotten
Users can ask to have their personal data erased. They also have the right to stop further analysis or processing of that data.
Penalties
Organizations that do not adhere to GDPR, open themselves up to fines of up to 4% of annual global revenue or €20 million (whichever is greater).