Less than a year remains before the new EU General Data Protection Regulation (GDPR) comes into effect. The date of implementation is May 25, 2018.
And no, Brexit does not mean that the regulation will pass by the UK. Both the government and the Information Commissioner Office (ICO) have confirmed that the GDPR will apply to Britain, too.
The introduction of GDPR has been dubbed as the most significant change in data privacy regulation for the past 20 years.
Businesses collecting or selling data from EU and UK residents are likely to be affected by the changes. If your organization is working with data relating to EU residents, then GDPR certainly applies to you.
We will now explain what GDPR is, its goals, and the implications of its enforcement, to get you familiar with the newest legal requirement your business is expected to comply with.
The GDPR is designed to harmonize data privacy laws across Europe and protect and empower all EU citizens’ data privacy.
The companies will be forced to take measures to reduce the quantity of personally identifiable information they collect. The idea is to strengthen the security of EU citizens and make sure that they are in control of their data and only information they have clearly consented to share can be used by organizations.
Among the information GDPR aims to protect is names, ID numbers, IP addresses, cookie data, health data, genetic data, biometric data, racial or ethnic data, information on political opinions and sexual orientation, etc.
The GDPR will grant EU citizens
And the companies will be required to take reasonable data protection measures and perform data protection impact assessments to identify risks to EU citizen data, and eventually address those risks.
Public authorities should be extremely careful when it comes to protecting their data, and the recent fine issued by the ICO to Gloucester City Council confirms the statement. After the council’s website was hacked in 2014 and over 30 000 emails containing financial and sensitive information about council staff were downloaded, the council could not repair the damage and was fined whopping £100 000. And the GDPR will be even more stringent in punishing violators of this sort.
Companies have been advised to appoint a Data Protection Officer (DPO)...
...and build a team around them to devise a plan for data protection, as a first step towards adjusting their business to the new laws. From May 25, 2018 having a DPO becomes mandatory for companies operating with high volumes of personal data.
As the date of the implementation of the GDPR approaches, fears have risen among businesses that they might not be ready to face the changes, which could result in severe fines. And the punishment is harsh, indeed. A company might have to part with 4% of its annual turnover or €20 million – whichever sum is greater, if it fails to comply with the GDPR in time.
The personal experience we have got at Data Soap is that we have received increased requests from clients to clean their databases in preparation for when the GDPR hits. It definitely helps to clean your databases before undertaking more elaborate approach to address the new regulation’s requirements.