EU Attempts to Fight Data and Privacy Breaches
On May 25, 2018 the General Data Protection Regulation (GDPR) will come into effect, heavily impacting global business. In an effort to protect its citizens, the EU passed firm legislation that aims to protect the personal data that companies may receive from its users and clients. Due to the demanding features of the GDPR, businesses that wish to remain efficient will need to become familiar with the legislation’s terms and respond strategically in order to avoid any disruptions to their operations.
The GDPR was initially proposed by the European Commission, the legislative body of the European Union, in January 2012. Two years later, in 2014, the European Parliament approved the legislation, allowing for its official passage in 2016. The transition period, referred to as a “two-year post-adoption grace period” will end on May 25, 2018, enabling the GDPR to take full effect and its terms to become enforceable.
Interestingly, a study conducted by Dell and Dimension Research concluded that approximately 80% of businesses know “little to nothing about the GDPR” and that 97% have not created a plan for how they are to respond. Unfortunately, this ignorance can lead many firms to incur a number of hefty fines.
The EU intends to prevent many of the data and privacy breaches that are common in a data driven societies and economies. It stresses that data processing is applicable regardless of whether or not it is done in the EU region. Interestingly, the GDPR will even affect foreign companies who may have clients and services within the European Union.
Businesses that violate GDPR can face tremendous penalties. Specifically, a company can be fined as much as 4% of annual revenue or 20 million euros, whichever is greater. Violations may include not having company records in order, failing to notify the authorities and victims of a data breach within 72 hours, and not having enough customer consent to process their personal data. The regulation stresses that acquiring consent for processing personal data is critical. Therefore, companies must provide terms and conditions that are “clear and distinguishable from other matters,” and must be distributed in an “intelligible and easily accessible form” to comply with GDPR standards and ensure that customers are aware of their privacy risks.
In order to fully protect EU citizens’ data, GDPR will provide them with certain rights to prevent company misuse. They will have the right to be notified if their personal data is being processed, where it is being processed, and the purpose for processing it, establishing data transparency between subjects and companies. Data subjects will also have the right to be “forgotten,” which is known as Data Erasure. This gives individuals the power to not only halt the processing of their personal data, but to completely erase it from the company’s systems. Data Erasure may only take place if the data is said to “no longer be relevant” to the original goals of the processing or if an individual removes his or her consent. Moreover, companies will be required to provide data upon request to data subjects, which is referred to as data portability. Upon request, companies must be able to transmit data to an individual in a “commonly used and machine-readable format.”
The concept of data minimisation is emphasized, as well. This refers to the requirement that data may only be processed and retained if it is necessary for the purposes outlined in advance. Additionally, access to personal data must be limited to those that conduct the data processing.
Companies whose primary operations involve processing and regularly monitoring data subjects or data related to crime will be required to appoint a DPO, or a Data Protection Officer, to be responsible for keeping internal company records.
The detailed requirements of the GDPR and its near global impact will shape the way organizations across Europe and the world do business and approach data and privacy. Once this goes into effect in May, businesses will be required to adjust their operations accordingly to effectively comply and avoid penalties.