The European Union General Data Protection Regulation (GDPR) is expected to be implemented at the end of this year and will require businesses to improve their data security.
The General Data Protection Regulation governs the security and management of personal data, both of customers and employees.
As an EU regulation, the General Data Protection Regulation automatically holds the force of the law and does not require separate country legislation; everyone must comply.
So How Will Data Protection Regulation Affect My Business?
In the first instance, the rules will only apply to businesses with over 250 employees which process more than 5,000 records each year. It is expected that the rules will eventually roll-out to smaller enterprises.
Businesses based outside the EU will be affected if they operate inside the EU. Again, it is anticipated that these measures will apply globally in time.
Businesses must identify which data held by them qualifies as personal data, where this is physically stored and in what state.
With the advent of Big Data, this will include any data that could be used to identify an individual. As “data controllers” hold and gather data on individuals, there is an added business risk.
It is incumbent upon businesses to establish internal frameworks to ensure regulatory compliance.
The methods that businesses use to collect and manage data must now embrace the concept of “privacy by design.”
Explicit consent must be obtained. Individuals must be given the right to withdraw that consent. So it will not be permissible to simply hold on to data just because there is no policy for its disposal.
Under the new rules, businesses will have will have 72 hours (from the point of discovery) to report a data communication breach to the local information commissioner.
Serious breaches of data protection regulation could result in fines amounting to 2% of global turnover or 1 million Euros, whichever is the greater.
It is thought that notification may not be required if the data is encrypted. However this means that all personal data is encrypted (not just credit card or social security numbers) and this is not something which is currently commonplace.
Whilst it is still unclear whether this will be a mandatory requirement, businesses should appoint a data protection officer if they haven’t already done so.
With a growing trend for overseas data centres or cloud processing, businesses should be mindful as to whether they are at risk in moving data outside of the EU.
Further afield, the EU and US have recently agreed on a data protection framework which protects personal data being shared for law enforcement purposes, such as terrorism investigations. Whilst it’s still early days, the “umbrella agreement” will enable EU citizens to enforce their personal data rights in US courts.
Only time will tell how effective the GDPR is. It is hoped that it will reinforce consumer confidence in online services and drive growth and innovation in Europe. The European Commission has high hopes, stating that it will remove national fragmentation and costly administrative burdens and lead to savings for businesses of around €2.3 billion a year.
Need To Legally Protect Your Website At A Price That’s Affordable?
This article was written by Rachel Furniss.
This article is provided for information purposes only and should not be construed as advice of any nature. The views and opinions expressed are subject to change without notice.