From this coming May, the European Union (EU) will implement a new General Data Protection Regulation (GDPR), designed to bring data protection legislation in line with the ways in which data is used in the 21st century. GDPR aims to give EU citizens and residents control over their own sensitive data, empowering them to be able to demand that organisations dispose of unneeded private information and do not share it with other third parties without the individual’s explicit permission.
At present, the UK’s data protection regulations are dictated by the Data Protection Act 1998, enacted after the EU Data Protection Directive 1995. The implementation of GDPR will supersede the existing legislation, unifying data protection rules throughout all EU member states. The Data Protection Act 1998 was formulated prior to the expansion of the internet and cloud technology, and this new legislation is designed to provide greater trust and transparency in the digital age. The EU estimates that the unification of data protection law across its member states will save European businesses around £2bn a year.
The GDPR will be active from 25th May 2018 and it’s important for businesses throughout the EU to be prepared. Severe fines for GDPR non-compliance are set to be dished out to organisations that fail to demonstrate their GDPR enforcement strategy on request. These fines, however punitive they may seem, are deemed necessary to ensure businesses take the protection of personal data seriously.
Who does GDPR apply to?
The EU’s GDPR is applicable to those deemed to be ‘controllers’ and ‘processors’ of individuals’ sensitive data. A controller is someone in charge of why and how personal data is used – for instance an e-commerce website gathering users’ addresses and full names for marketing material distribution, while a processor is the organisation or individual that’s physically processing the data e.g. an IT service provider.
There’s one important thing to note for businesses based outside the EU. Controllers and processors of personal data of EU residents will still be bound by the rules of GDPR even if they are based in the United States, Australia or South-East Asia. More importantly, it is the controller’s responsibility to oversee their processor’s actions and ensure they abide by the GDPR legislation.
When can personal data be used under GDPR?
Put simply, controllers of individuals’ sensitive data must be able to demonstrate that the information they process is done so lawfully, transparently and for a specific, legitimate reason. Moreover, from the moment that reason/goal has been met, the personal data is deemed as no longer needed and must be disposed of accordingly.
In order to obtain individual consent to use sensitive data under GDPR, collectors must make it clear to their subjects what is going on, rather than utilise passive acceptance techniques that are currently commonplace, such as default opt-in subscriptions to newsletters. Controllers are also required to keep a diary of how and when individuals provided their consent. It is within the rights of said individuals to withdraw that consent whenever they see fit.
If your organisation’s current model for receiving user consent for personal data is not up to scratch with the new GDPR legislation, now is the time to overhaul your model and avoid unnecessary financial penalties when it is applied this summer – regardless of where you’re based.