New EU-wide regulations on data protection – 5 key changes to be aware of
The European regulations on data protection haven’t changed much since 1995, but the way personal data flows between and within organisations definitely has. Technological developments have meant that personal data is now stored anywhere and everywhere, and it’s moving around too. Seem far-fetched? Think about the amount of times you enter data about yourself into forms on websites and apps – that data is normally stored somewhere new, and is all too easily exchanged between different organisations. Think about how many times smartphone apps ask you to grant access to use your location – it’s easy to forget how often we share personal data. The way this information flows within and between organisations has changed, and trends indicate that each generation becomes more comfortable than the last about sharing it.
So what does this mean for your business? The General Data Protection Regulation, or GDPR (soon to be passed through Parliament) is an attempt to allow EU regulations to catch up with consumers and the rapid advancement of our data driven world. Currently each EU country enforces its data protection regulations using an allocated body like the Information Commissioners Office (ICO), but the GDPR will impose a number of EU-wide rules, which will affect not only all EU countries, but any organisation trading within the EU (including big players like Google and Facebook). The draft GDPR document is being revised and updated regularly, so it’s recommend that all organisations are prepared and adapted for the finalised document once it’s officially passed. To get you started we’ve summed up some of the main changes proposed so far…
Bigger consequences for breaching regulations
Under the GDPR fines of up to £100,000,000 or 5% of global annual turnover will be issuable if regulations are breached. This means that more companies will be wise to comply with the rules. For bigger organisations especially, the consequences of a breach could be much higher than before.
A broader definition of ‘Personal Data’
Personal data under the old directive did not include certain information elements like IP addresses, cookies and web beacons. The new regulations include online identifiers as personal data – meaning lots more data will fall under the remit of the law. If your company holds IP addresses and other internet based personal data, you will most likely need to adjust your internal processes. It is advised that organisations only handle the data they really require, and that any additional data is not stored at all.
New rules for obtaining consent to process data
The latest proposals state that when consent is requested for the processing of any personal data, this consent must be ‘purpose limited’. In other words, the consent must be obtained for one or more specific purposes. Consent also cannot be included in any wider agreement (e.g. bundled into terms and conditions) and must be obtained separately. This means that many organisations will have to change the way they obtain consent to process personal data like email addresses and telephone numbers, giving individuals more awareness and control over what organisations can use their data for.
Mandatory reporting of security breaches
The new draft regulation is currently proposing that any personal data security breach (an unlawful or accidental compromise of personal data) will have to be reported to a supervisory body (the ICO in the United Kingdom) without undue delay. A security breach report is likely to have to include the facts surrounding the issue, the effects of the violation and the subsequent actions taken.
It is likely that impact assessments will become mandatory with the new regulations. When there is risk of harm during any use or processing of personal data, organisations will be required to conduct impact assessments. The impact assessed does not only concern individuals but also society as a whole, and it is likely that a threshold will be introduced where if data relates to over 5000 individuals, an assessment must be made.
The General Data Protection Regulations are not something to be overlooked. When the proposed fines of up to 5% of annual turnover are considered, we can see the importance of putting the right processes in place by the time the regulations are passed. The changes will have varying impact on different organisations, but the important thing is that each business understands the effects of the new changes.
Use the Official EU Page to be kept up to date with proceedings.