The countdown had begun for organisations handling personal data: as of 25 May 2018 when the General Data Protection Regulation (GDPR) comes into force, all EU citizens will have the same rights over their data – and all European organisations will be subject to the same rules. Here’s an over view of these rights and obligations.
The rise in digital services, the Cloud, IoT and Big Data has brought about the need for changes to laws on personal data protection – and this is precisely what GDPR is for. The Europe-wide implementation of the directive will ensure harmonisation of data protection laws across the Community.
The regulation is designed to ensure greater transparency and improve users’ trust in the management of confidential data security in order to “give a strong basis for the Digital Single Market to flourish,” as a representative of the EU members said in a statement. GDPR, officially called “Regulation (EU) 2016/679,” will thus now be the definitive law for data protection, repealing directive 95/46/CE. It’s a formidable document, with no less than 99 articles.
GDPR: good news for European citizens
Some of the key advances in terms of citizens’ control of the way their personal data is used include:
- Consent: data processing requires consent from the user – consent that must be “freely given, specific, informed and unambiguous.”The organisation must also clearly specify how and to what purpose the data is to be used and must inform the user of their rights to access, rectify, delete, etc. the data. Under 16-year-olds will require parental consent.
- Portability: organisations are required to provide the user with the mans to retrieve their data in a structured, commonly used and machine-readable format and have the right to transmit the data to a third party.
- In the event of a cyber-attack: people whose data has been accessed as a result of a cyber-attack which could harm their rights and freedoms must be informed as soon as possible.
EU citizens are encouraged to find about and assert their new rights under the new directive.
GDPR: new requirements for organisations
Organisations have eight months to comply with the regulation. Although the official texts were published in May 2016, the requirements involve implementing substantial changes, whatever the industry sector: retail, healthcare, banking & insurance, etc.
- Accountability: company heads are legally responsible for implementing the appropriate technical and organisational measures to ensure data protection, including for work carried out via sub-contractors.
- Privacy by design: companies will now be obliged to take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process and the person in charge of processing data must also minimise personal data processing.
- Impact assessment: before certain data processing operations, the potential risks for people’s rights and freedoms need to be assessed.
- Appointment of a Data Protection Officer (DPO): it’s this person’s job to inform and advise the organisation and its employees on their obligations to comply with the GDPR, monitor compliance with the regulation, and be the first point of contact for the supervisory authority. The DPO can be either an internal or an external appointment.
Penalties: sanctions for non-compliance will be tough for organisations, with fines of up to 4% of annual global annual revenue for a private sector company.