The European Union has released new guidance on how businesses operating in Europe should protect customer data. In less than two years, all organisations will have to comply with new legislation, the General Data Protection Regulation (GDPR).
But how will the new changes affect you and your business? Continue reading for more information about the legislation and then download our 5 Step Guide to becoming GDPR Compliant.
What is the General Data Protection Regulation (GDPR)?
On 27 April 2016, the European Commission announced a reform of its data protection framework with the intention to strengthen protection policies through implementation of the General Data Protection Regulation (GDPR). The new legislation will replace the existing Data Protection Directive 1995 and all businesses operating within the EU will be expected to comply. After a two-year transition period, GDPR will come into effect immediately on 25 May 2018.
Why have the rules changed?
The European Parliament considers the Data Protection Directive 1995 to be outdated in the digital economy. An exponential growth in data storage and mobile technologies has seen a worldwide increase in privacy issues, and globalisation and inconsistent enforcement within EU member states has made it costly and complex for businesses to comply.
Is GDPR a good, or bad thing, for businesses?
The EU predicts that due to a reduction in red tape, businesses will save approximately 2.3 billion euros annually. However, critics contend that the new rules will be difficult and costly to implement, with some businesses being forced to redesign their technology and business processes.
Will this affect my business now that the UK plans to exit the European Union?
The answer is yes. Unlike the current Directive, the regulation will apply to organisations who provide products or services to EU customers or process personal data of EU residents. According to the European Commission personal data “is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
What are the experts saying about GDPR?
Businesses have a lot of ground to cover to reach compliance. Global law firm DLA Piper claims that the GDPR “Heralds some of the most stringent data protection laws in the world” and Allen and Overy, provider or legal services to global business and industry suggests that “Many companies are re-examining their processes and procedures now in order to ensure compliance.”
How will the GDPR be enforced?
National regulators will receive greater power to effectively deal with complaints, conduct investigations and impose sanctions. It is anticipated that sanctions can, and will, be imposed. From a written warning for first time noncompliance, to a 4% fine of global annual turnover for more serious breaches. The risks are high.
What impact will this have on our day to day business operations?
You will need to know where, and how, the personal data you hold is being processed. Under the new legislation, a company will have to notify regulators of a data breach within 24 hours and affected individuals “without undue delay.” Businesses with more than 250 employees or those involved in “risky processing” will also be required to designate a Data Protection Officer (DPO) and conduct regular data protection impact assessments.