What does GDPR and new European Privacy laws mean for your business
What does GDPR mean?
As of the 25th of May 2018, data protection laws are changing from the 1998 Data Protection Act to the new EU GDPR and there are several changes that the team at O’Brien Media have made that some website and business owners may not be aware they have to make too.
The new regulation will focus more on documentation and procedures, changing how organisations approach data privacy and look after customer information. Many organisations would be forgiven for thinking that this means that GDPR will solely focus on data from customers, but they will need to demonstrate accountability; how they store all their data, whether it is from suppliers, employees or customers.
GDPR compliance and your website
What does GDPR entail and what will you need to be aware of?
The official EU GDPR website cites the main aim of GDPR is ‘to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.’ Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to bring legislation up-to-date with technological advancements. Here are the top changes to be aware of:
Increased Territorial Scope (extra-territorial applicability)
This will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not
Penalties
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. There will be a tiered approach to fines
Consent
Companies can no longer use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form. In addition, it must also be easier for people to withdraw consent
Breach Notification
Breach notifications will now become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation as to whether personal data concerning them is being processed and for what purpose
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data
Data Protection Officers
The appointment of Data Protection Officers (DPO’s) will be mandatory for data controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
Back to the question, what does GDPR mean?
So, to answer the earlier question, GDPR means a lot, especially as the fines for failing to comply are so large, even for small businesses.
While GDPR does make allowances for smaller businesses, it still imposes large fines for those that don’t adjust and become compliant.
GDPR Article 30 outlines that DPOs are only required for businesses and organisations with over 250 employees, but those under 250 employees still need to make everyone aware of any breaches in data security, to allow individuals to exercise their right to be forgotten, and to allow for enquiries as to how their personal data is being used, so make sure you have processes in place to make this job as simple as possible before the 25th May 2018.