On May 25th 2018, the GDPR will come into effect with the conclusion of its two year transition period. The GDPR replaces the 1995 GDD (General Data Directive). Since 1995, rapid technological developments have drastically changed how companies access and store information about customers. The new changes in data protection laws seek to better protect customers and unite regulations throughout the EU.
Who is impacted by the GDPR?
The GDPR applies to any organisation within or outside the EU that collects PII (personal identifiable information) about EU citizens. PII can be defined as any information that makes it possible to identify the specific individual. For example, names, addresses, occupations, e-mail addresses, etc.
What does the GDPR stipulate?
Any company that stores PII data must notify and receive consent from the individual before storing their information. Individuals have the right to be informed about how long their details will be stored and the ability to contact the data controller/DPO. Individuals can also contest any significant decisions made using an algorithm or profiling methods.
Once gathered, all PII must be protected according to the data protection by design and data protection by default principles. Essentially, data protection must be an integral part of corporate procedures and should include data encryption and pseudonyms. Data protection methods must also be recorded/tracked in order to demonstrate compliance with the GDPR.
Data Protection Recommendations
The GDPR recommends that data is protected by pseudonyms such as encryption. Pseudonyms ensure that data cannot be traced back to a specific individual. Encryption is one of the most effective methods as it renders the data unintelligible without the decryption code, which prevents data from being accessed by people that do not have permission.
Responding to Data Breaches
One of the primary purposes of the GDPR is to provide the general consumer with better protection from data breaches. Large-scale data breaches have recently become a massive problem. For example, the misleading use of 50m Facebook profiles by Cambridge Analytical within the 2016 American presidential campaign for Donald Trump, the data breach of 3m Carphone Warehouse customers in 2014, or the data breach of 3 billion Yahoo account users. With so many large-scale data breaches, it is relatively unsurprising that new data protection regulations are being sought by the EU.
Data breaches will, of course, continue to happen under the GDPR and as such specific protocols explain how companies should deal with these situations. When a breach is suspected, the data controller must report the breach as soon as possible to the supervising body (ICO) unless the breach is unlikely to jeopardise individual’s rights or freedoms. The breach must be reported with 72 hours. If at risk, the affected individuals must also be notified unless the data had been encrypted rendering the identification of individuals impossible.
Failure to Comply: Penalties & Fines
Depending on the type of infringement, consequences for data breaches can range from written warnings for first offenses to a 20 million Euro fine for not complying with GDPR processes. It is clearly essential to ensure that your company, if applicable, complies with the GDPR to prevent against these heavy penalties.