An agreement was reached on the draft EU General Data Protection Regulation (GDPR) at the end of 2015, and it signifies the dawn of momentous changes to privacy law: the biggest changes in two decades.
Data protection seems never to be out of the news, and it is certainly an area where new legislation is being introduced on a regular basis. It is important however to take good note of this latest Regulation, because it is set to have a huge impact for any business that operates in the financial services, transport, energy and water or health sectors. Search engines, cloud computing providers and internet payment operators will also be affected.
Now is the time to start preparing if your business falls under any of these categories, because there is much to do. Risk assessments will need to be adjusted to accommodate the new rules and, as head of data privacy at PricewaterhouseCoopers Stewart Room says, ‘Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of the internal changes that will be required.’
There are still fine details to be confirmed, but in the meantime, you should make yourself aware of the following key points of the GDPR:
- If your company breaches data rules in a serious way then you will need to report the incident to regulators within 72 hours.
- If your business if found to be in breach of the GDPR then it will be fined up to 4 per cent of its global turnover.
- If you handle significant amounts of data then you will be required to appoint a data protection officer within your business.
- Consumers will have the right to request that their data is transferred from one company to another, so that their preferences and order history are made available to them through their new supplier.
- A consumer’s right to be forgotten will no longer be limited to search engines. It will now extend into their entire web history, allowing permission to request total removal from any online platform and its history trail.
The GDPR is likely to become EU law in the early part of 2016. A two year grace period will precede enforcement. Even if your business does not fall into one of the GDPR governed categories, it is still vitally important that you are fully aware of all the legislation that applies to your business, especially considering the new powers held by the Information Commissioner’s Office (ICO) concerning the use of data in telemarketing campaigns.