The General Data Protection Regulations came into effect on May 25th, 2018 and has since had wide-reaching implications for many companies both within and outside the EU. GDPR compliance is a requirement for any company that collects, maintains, and uses the personal data of EU citizens. It was designed to introduce a number of principles that aim to minimize the risk of data theft and ensure adequate protections are put in place to protect the integrity of confidential information. GDPR also aims to give more rights to the person to whom the data concerns.
The need for GDPR is clear. In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. The average person now stores a huge amount of information online, but previous legislation to protect this data was inadequate to deal with all of the threats to this information. As well as issues concerning an individual’s lack of privacy if their data were to be obtained by a third party, there are concerns regarding the expanding black market in private data. Health data and credit card numbers both have huge black-market value, but protections were not in place to keep this data safe from criminals.
In Europe, the Council of Europe and the European Union are in charge of setting data regulations. GDPR replaces the 1995 EU Data Protection Directive and all the national privacy laws of all EU member states, thus creating an EU-wide standard of data protection. In spite of the wide coverage and build-up to the roll-out of the regulations, a report showed that, just a few months before the launch of GDPR, just 2% of representatives considered their organizations “GDPR-ready”. To ensure that an organization is GDPR compliant, extensive employee training must take place.
The GDPR data protection rules are extensive, but there are some important key points in the legislation. The rules include a comprehensive definition of what constitutes personal data, and what personal data can be collected. GDPR covers any data that can be used to identify a person (“identifiers”). This includes names, date of birth, telephone numbers, addresses, photographs, bank details, and even opinions. In keeping up with technological advancements, genetic and biometric data are now protected as “identifiers”. The rules also stipulate the rights of individuals to know how their personal data is being used and how businesses and organizations obtain each individual’s informed consent to collect, maintain or use the individual’s personal data.
Businesses and organizations have been tasked with reviewing how their practices comply with GDPR. In particular, the manner in which they obtain each individual’s informed consent to collect their data should be under scrutiny. Personal data can only be collected, maintained or used if an individual has given their consent by a recordable affirmative action. According to GDPR, an individual must be told before giving their consent what the data will be used for and they must be informed of their right to withdraw their consent.
If a company violates GDPR, they shall be subject to a hefty financial penalty: €10-20 million, or 2-4% of the controller’s financial turnover based on the previous year. GDPR lays out the limits for fines, but ultimately it is the relevant supervisory authority who decides the penalty for a specific violation. The size of the fine is controlled so that it is not excessive or debilitating to a business, but enough that it should dissuade organizations from ignoring GDPR altogether.