On May 25, a new legislation called GDPR came into effect in Europe. GDPR stands for General Data Protection Regulation, and its provides enhanced data protection rights to EU citizens.
Do I need to comply with the new legislation?
If your business has an entity or is based in the EU, and/or if your business is based outside of the EU but collects and processes personal data of EU citizens, then GDPR applies and you will have to comply with the updated policies.
Outside of this definition, compliance is not mandatory, but it’s a good time to take a look at your business’ data processing terms and privacy policies to support the protection and security of information belonging to individuals.
It could also be a good time to make any necessary upgrades to workplace training, conduct and policies to ensure your business is inline with what the GDPR really represents, which is the right for all of us to protect and control our personal information.
What happens if I don’t comply?
Non compliance can lead to hefty fines. For lower level infringements, this could result in fines of up to €10 million, or 2% annual global turnover (whichever is higher), and for higher level up to €20 million, or 4% annual global turnover (whichever is higher). To put the fines into context, companies such as Google or Facebook could face fines up to a few billion dollars for non-compliance.
Besides fines, regulatory authorities can impose data processing bans, data erasure or suspending data transfers to other countries.
What makes GDPR different to other data protection laws?
Data protection is not new, and pretty much every country has data protection legislation. However, under GDPR, the definition of “personal information” is expanded from general data such as name and email to include things like genetic data, IP address, photos or videos and device IDs.
The inclusion of “data processors” in the GDPR is also new. Traditional privacy laws focus on controllers, or entities that collect data. Under this new legislation, those who look at the data and process it are also included and subject to its provisions. For example, Sparkline would be considered a data processor, an entity that doesn’t collect data but analyses it to extract insights.
Am I a data controller or processor?
Sometimes a business can be both a data controller and processor, for instance, an airline. They collect data on your flight bookings and/or loyalty membership, as well as process the data to offer you more relevant offers and better experiences.
Who is protected by this new legislation?
People covered by the new protections are referred to as “data subjects”. Data subjects are considered EU citizens residing in the EU, as well as those who may be travelling or temporarily residing in the EU. So basically, if data is processed within the EU borders, those people are covered as data subjects.
Once you leave the EU borders though, whether you are an EU citizen or not, you are no longer covered as a data subject, and local data processing and privacy protections would apply as they always have.
What protection does the new legislation offer people?
GDPR offers data subjects a list of rights to which they are entitled, regarding the storing and processing of their data.
#1 The right to be notified of a data breach
Under GDPR, whenever there is a personal data breach, the data processors must notify the data controllers. The data controllers must notify supervisory authorities and data subjects as soon as possible. This must be done within 72 hours of first having become aware of the breach.
#2 The right to access their data
GDPR requires more transparency between businesses and individuals at the time of consent regarding data collection and use.
All data subjects have the right to know:
If their personal data is being used
How they can access it
How they can change or delete it
Why it’s being used or who it’s shared with
How long it will be stored
#3 The right to be forgotten
If a data subject asks you to erase his personal data, you must comply ASAP (provided you have no legal grounds to keep processing it). You should delete data subjects’ information in the following events: you no longer need it, the data was used unlawfully, or if a data subject exercises their right to object.
#4 The right to object
A data subject has the right to object at any time to their personal data being used for direct marketing or any other legitimate purpose. For example, if a data subject asks you to stop retargeting them, then you must do so.
#5 The right to rectification
A data subject has the right to ask you to update their personal data if it’s incorrect or incomplete.
#6 Privacy by design
Privacy by design is an approach to designing projects, processes, products or systems that promote privacy and data protection compliance from the start. This concept expects data controllers to hold and process only the data absolutely necessary for the completion of its duties (called “data minimisation”), as well as limiting the access of personal data to those needing to process it.
How will these rights be enforced?
Large organisations are required to appoint DPOs (data protection officers), in a lot of cases, more than one. Their job as GDPR experts is to enforce compliance within a company and are in charge of all data processing within organisations. In each EU state there will be a Supervisory Authority, who will have the power to conduct audits, order compliance with GDPR and issue fines and warnings.
Disclaimer: Sparkline are data people, not legal people. We recommend that you seek proper legal advice for any business decisions, just as we did!