In the wake of growing concerns about the theft and misuse of big data and personal information, the European Union (EU) has passed the General Data Protection Regulation (GDPR) enforcing the right to personal data protection of the individuals throughout the Union with effect from May 25, 2018.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is new legislation aimed at protecting the data privacy of all EU citizens and residents. It aims to simplify the regulatory environment for international business by harmonizing the data protection acts among its member states. A very important component of the act is the control of the transborder flow of private data outside the EU and prevention of personal information abuse by entities outside the Union. Enforcement of GDPR has several implications for businesses, academia and non-profit organizations working on data collected or derived from EU nationals and residents.
Overview:
GDPR applies to any company, entity or organization operating within the EU, and also to organizations outside of the EU which offer goods or services to customers or businesses in the EU. This includes almost every major business organization in the world..
According to regulation, there are two types of data-handlers: data processors and data controllers. The definitions of each handler are outlined in Article 4 of the General Data Protection Regulation. GDPR enforces legal obligations on a data processor to maintain records of personal information and how it is processed, providing a much higher level of legal liability should the organization breach the regulation. Data controllers will also be forced to ensure that all contracts with processors are in compliance with GDPR.
Data protected under GDPR are:
- Personal data such as name, address, nationality and social security numbers
- Web information such as location, IP address, cookies and RFID tags
- Health and genetic records
- Biometric information
- Racial/ethnic profile
- Political association/opinion
- Sexual orientation
This means US companies like Facebook, Google, Snapchat and Instagram are not immune to disruption when GDPR takes effect. According to PageFair, these companies, under GDPR, will be unable to use the personal data they collect and hold for advertising purposes without user permission.
Key changes:
Jurisdiction: The main update to the regulatory landscape of data protection comes with the widespread territory in which GDPR is applicable. That means all companies processing the personal information of individuals living in the Union, regardless of the company’s location, must follow the new regulation. GDPR will also apply to the processing of personal data, regardless of whether the processing takes place in the EU or not. That is, the legislation will also apply to the processing of personal data of individuals in the EU by a data controller or data processor not located within the EU. Non-EU business entities processing the data of EU citizens will also have to appoint a representative in the EU.
Non-compliance and fines: Under GDPR, entities that breach regulation compliance can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious violation. There is a grade-level approach to penalties, e.g. a company can be fined 2% for not having their records in order (Article 28), not informing the management authority and data subject about an infringement or not conducting an impact appraisal. It is important to note that these rules apply to both controllers and processors – e.g. internet cloud servers will be included in the regulation enforcement.
Consent: Organizations can no longer be able to use lengthy indecipherable terms and conditions full of legal jargon. Request for consent must be given in an understandable and easily accessible form, with the purpose of data processing attached to that consent. Consent must be unambiguous and distinguishable using plain language. It must be as easy to withdraw consent as it is to give it.
Implications for businesses:
GDPR enforces one law across Western Europe and a universal set of regulations that apply to companies doing businesses within EU member states. This means the reach of the legislation extends beyond Europe, as organizations based outside the region but with operations in EU will still need to comply.
According to an estimate from Veritas Technologies, companies will have to spend an average of €1.3 million on systems and training to comply with the GDPR. In addition, estimates show that Fortune 500 firms will need to hire at least 5 full-time dedicated employees to handle the compliance monitoring. However, the European Commission (EC) claims that exercising a single regulatory data protection authority for the entire EU, over the long term, will make it simpler, easier and cheaper for businesses to operate within the region. According to EC estimates, implementing GDPR will save €2.3 billion per year across Europe.
GDPR encourages companies to espouse new technologies like pseudonymization to take advantage of collecting and analyzing personal data, while the privacy of their customers is protected at the same time.
Data protection in other regions:
Starting from May 25, 2018, GDPR will come into full effect after the 2-year transition phase. Other nations also have updated their data protection regulations. For example, Singapore passed a data privacy law in 2012 that protects all of its nationals’ personal data. South Korea has strongest data privacy laws in the Asian region, even protecting its citizens’ images or voice. Australia’s Privacy Amendment Act, passed in 2012, was fully enforced in 2014 to monitor the collection, use, storage and disclosure of personal information, including making sure how companies are investing in new IT systems and staff training.
In the era of IoT, big data and blockchain, cybersecurity should be among your organization’s priorities. Our team of experts can quickly bring you up to speed on the latest developments and innovations in this area. Contact us today!