It seems that almost everyone is talking about GDPR in 2018. Currently, the Europe data protection is witnessing huge changes, the type that has not been seen in a very long time. The amount of data that are being created in the past couple of years have more than doubled, thus, it has become necessary that the rules across the continent guiding the use of these data be re-written and enforced. Already, May 25, 2018, has been slated as the date the new mutually agreed European General Data Protection Regulation (GDPR) will update personal data rules.
Once GDPR goes into effect, it will completely change how public sector organizations, as well as businesses, make use of the personal information they obtained from their customers. It is also expected that GDPR will give individuals more control and right over the information they submitted to businesses and public organizations.
With the GDPR laws coming into effect very soon, this has led to a stiff competition among GDPR experts who want to help businesses, as well as public organizations, understand how GDPR affects their operation and to be better prepared for it. Of course, these experts expected to make good amount of money for their expertise. You don’t need to worry so much about GDPR or let these so-called experts guilt you into huge amount of their money for their services. If you are wondering what GDPR is all about and how it affects your business, this article will tell you everything you need to know.
What is This GDPR Anyway?
In simple terms – GDPR is just new data protection laws to guide how personal data are used in Europe. The law is being made to replace the previous 1995 data protection law which is what is currently in practice in the United Kingdom.
The new law is also designed to give individuals greater rights as well as protection. This new legislation will “harmonize” privacy laws across Europe. The GDPR greatly affect how businesses, as well as public organizations, make use of personal information.
GDPR was recently adopted as the new data protection law in April 2016 by both the European Council and the European Parliament after more than 4 years of discussion and negotiation. The new regulation and directive for businesses and public organizations were also published at the same month.
Following the adoption and publication of GDPR in the EU Official Journal in May 2016, it was concluded that the new legislation will come into force on May 25, 2018. Anyone that will be affected by the new legislation was given two years to get ready and ensure they are compliant when the law goes into effect.
Wait a Minute … Don’t We Already Have Data Protection Laws?
Before the adoption and publication of GDPR, all the EU member state operates under the 1995 data protection regulations. Most of these states also have their own national laws which also guide their operation. For instance, the UK before now operates under Data Protection Act 1998 which gives guidelines on how companies, government, and organizations make use of personal information.
Certainly, GDPR will bring a lot of changes on how businesses, governments, and organizations make use of personal data. The UK government has already published – Data Protection Bill which covers most points in GDPR with just few minor changes.
What You Need to Know About the UK Data Protection Bill
The UK government has already put in place a new data protection law which will include the vast majority of GDPR. This new bill was published on September 14, 2017. However, before it becomes law and enforceable, it needs to pass through the House of Commons and then the House of Lords.
The GDPR was created to guide how personal information is being used in Europe. However, there are rooms for some flexibility that allows member states to make changes to some part of the new regulation to fit their own preferences. The new Data Protection Bill proposed by the UK government will have greater protection for journalists, scientific and historical researchers as well as anti-doping agencies.
How is GDPR Going To Impact My Business?
GDPR is going to affect you if your company, startup, or charity either “collects” “controls” or “process” personal data. According to the website of ICO, GDPR is likely to affect you if you are currently subject to the DPA.
GDPR offers increased protection for both personal data as well as for sensitive personal data. To make this clear, personal data generally means any information that can be used to identify an individual. This includes but not limited to a name, address, IP address, Date of Birth, and more. On the other hand, sensitive personal data includes genetic data, sexual orientation, information about an individual’s religious beliefs as well as his political views and many more.
These new definitions have no deviation from the current data protection laws. The definitions also relate to information which is collected via automated processes. However, GDRP has a major difference when it comes to where pseudonymized personal data falls into. In GDPR, pseudonym falls under personal data if it is possible that an individual could be identified by it.
Alright, What’s the Difference Between the Two?
GDPR sets out obligation to businesses as well as right of individuals in a ninety-nine articles. These obligations including giving individuals easier access to the data businesses and organizations hold about them. New fines regime was introduced as well as clear responsibility for businesses and organizations to get the permission of people before collecting their information.
Not Ready For GDPR? If you are just hearing GDPR for the first time, you can ensure you stay complaint using the steps below:
Accountability and Compliance
Companies that are covered by GDPR are expected to be more accountable for their use of personal information obtained from people. As a business entity, you must now have data protection policies, as well as make it clear how you obtain, document, and process data.
The GDPR now mandates businesses and organizations to report any data breach to country’s data protection regulator as well as data owners of any data breach within 72 hours of finding out about the breach. If you have more than 250 employees, you need to state how you collect and process data. You will also need to state the kind of security you put in place to secure the data you collected.
Access To Your Data
GDPR also give individuals greater control and access to their data held by organizations and businesses. Currently, a Subject Access Request (SAR) allows businesses and organizations to charge £10 before they can give individuals the information being held about them. This law has been scrapped and anyone can request for his data from any organization or business free-of-charge. With the new regulation, individuals have power to get their information erased from the database of a business or organization holding them.
A business or organization can be fined if it doesn’t process an individual’s data in the way it is supposed to be done. They can also be fined by regulators if they are required to have a data protection officer but failed to have one. In a similar way, there will be fines to pay in case of security breach.
Organizations could be fined as much as €10 million or 2% of a firm’s global turnover (whichever is greater). In fact, an organization with a more serious offense can pay up to €20 million or 4% of a firm’s global turnover (whichever is greater). Currently, the largest fine wields by ICO is £500,000. The new fine being introduced by GDPR is 79 times higher.
What If We Don’t Comply From Day One?
A two-year preparation period was given to businesses and organizations covered by GDPR to get their systems ready. However, it is likely that many businesses won’t be ready when this new law kicks off.