How will changes to GDPR affect you?
How will changes to the General Data Protection Regulations affect you?
The new GDPR requirements are the most important changes to data privacy in over 20 years. The goal of the new requirements is to protect all EU citizens from privacy and data breaches, and these sweeping changes are the most significant updates since 1995. Consumer privacy and data protection has been in the news recently, with many data breaches coming to light months after they have occurred, and leaving consumers unprotected. These new requirements will hold companies responsible and ensure consumer data protection and privacy. Here is an overview of the key changes:
The largest change is regarding jurisdiction. All companies, regardless of location and whether they were established in the EU or not, will be subject to the new GDPR regulations when processing personal data of EU citizens. Any organizations found to be non-compliant with the GDPR can be fined up to 4% of annual global turnover or 20 million Euro (whichever is greater). That is the maximum fine imposed for the most serious offenses. There is a tiered approach to the penalties. These fines apply to both controllers and processors, so all companies processing data need to ensure compliance to avoid fines.
Changes have also been made to the consent conditions. Companies can no longer use long, confusing terms and conditions to explain consumer rights. The request for consent has to be easily accessible, and the reasons for the data processing must be attached to that consent. The consent form must be easy to ready and it must also be easy to withdraw consent.
New policies related to a data breach have also been updated. In all member states, a data breach that could “result in a risk for the rights and freedoms of individuals” must be done within 72 hours after becoming aware of the breach. This is to avoid instances when a breach has been discovered and not made public for months, exposing customers to risk of their personal data being used by others.
“Privacy by design” is another new requirement of the GDPR. When a system is developed, data protection must be included from the beginning, not an additional system added later. There will no longer be a requirement to report to local DPA (Data Protection Officers), as most member states have different notification requirements. Previously, the reporting to local DPAs was problematic for companies due to the inconsistencies and differences in requirements.
The enforcement date for the new requirements is 25 May 2018, and companies found to be non-compliant will face heavy fines. If you are processing personal consumer data, you must have your systems in place to accommodate these changes by May 2018. These new consumer protections will help secure personal data, and ensure companies are using best practices when processing personal information.