November 22, 2017
Since 1995, European businesses and organizations have operated under data protection rules specific to an era of much less digital data. To update the rules, the European General Data Protection Regulation (GDPR) will launch on May 25, 2018, and numerous GDPR experts are ready to profit off of their offer to help businesses get ready. U.K. information commissioner Elizabeth Denham dubs much of the activity as “scaremongering,” saying that companies that complied with the older rules won’t have to deal with major changes.
Wired reports that the European Union’s GDPR website states that it is designed to “harmonize” data privacy laws across the continent “as well as give greater protection and rights to individuals.”
“The GDPR is a step change for data protection,” said Denham. “It’s still an evolution, not a revolution.” The European Parliament and the European Council adopted GDPR in April 2016 and “the underpinning regulation and directive were published at the end of that month,” giving anyone impacted two years to prepare.
GDPR consists of 99 articles “setting out the rights of individuals and obligations placed on organizations covered by the regulation,” including “allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organizations to obtain the consent of people they collect information about.”
Under GDPR, companies must have “data protection policies, data protection impact assessments and … relevant documents on how data is processed.” A breach — “destruction, loss, alteration, unauthorized disclosure of, or access to” data — “has to be reported to a country’s data protection regulator.” Any instance that “could have a detrimental impact on those who it is about,” which includes “financial loss, confidentiality breaches, damage to reputation and more,” must be reported.
In the U.K., companies would have 72 hours to report such activity to the ICO (Information Commissioner’s Office) and those people impacted.
Under GDPR, individuals also have “a lot more power to access the information that’s held about them.” Rather than having to file a Subject Access Request and pay £10 for the information, “requests for personal information can be made free-of-charge,” and companies must cough up the information within a month.
Users will have the power to get personal data erased if “it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.” With GDPR, regulators can also “fine businesses that don’t comply with it” for a variety of offenses relating to treatment of personal data. The impact on businesses will vary, and the ICO has prepared a 12-step guide to help companies and organizations prepare for the May 2018 switch.