Ready for the Biggest Data Protection Law Overhaul in 20 Years?
January 2nd 2016 | By Sarah McInerney
The protection of personal data has always been a subject under scrutiny, never more so than now with the agreement of the draft EU General Data Protection Regulation (GDPR) in December 2015, after four years of negotiations.
Cited by many as the most significant piece of privacy legislation in the past 20 years, the GDPR is likely to become EU law in the early part of this year and there will be a two year period of grace before it will start to be enforced.
Time to sit up and take notice
As business owners we are of course bombarded with new regulatory introductions and variations on a regular basis, and there is no shortage of rules concerning data protection already in place that we have to try to keep up with. However, the GDPR is definitely something to sit up and take notice of, because it really is going to bring in momentous changes for any business operating in financial services, health, transport energy and water as well as cloud computing operators and internet payment providers. Search engines will also be included under the Regulation.
If your business falls into any of these categories, it is time to start planning for the required changes. If you already have good data protection management in place, then you should not find the new Regulation too much of a burden. However, the new requirements will need to be incorporated into your risk assessment at the earliest opportunity.
Large scale changes are on the horizon
Stewart Room is head of data privacy at PricewaterhouseCoopers. He said, “Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of the internal changes that will be required.”
As with any new regulation, it is going to take some time to iron out the finer details, but information will soon start filtering through as to the steps that need to be taken, so make sure you are subscribed to everything that will keep you informed. In the meantime, here are the key points of the GDPR that you need to know about:
- If a company breaches the GDPR, it will be forced to pay up to 4 per cent of its global annual turnover in fines
- A company will be required to report serious data breaches to regulators within 72 hours
- Businesses will not only have to be compliant, but actually show they are compliant
- If a company handles a significant amount of data then it will need to appoint a data protection officer
For technology users:
- A consumer’s right to be forgotten will extend beyond search engines into their entire web history. For example, a user could ask to have their Twitter profile completely wiped.
- There will be a right to transfer data from one company to another. For example, an online shopper at Waitrose could request all their shopping history and preferences data to be supplied to them, so that they could send it on to Tesco.
We say …
Even if your business does not fall into one of the categories governed by the GDPR, you should still be taking steps to ensure the security of the data you handle. Last February we wrote about how new data protection laws were transforming the marketing landscape. These laws apply to every business, so it is worth a re-read if you are not clear on your obligations.