The General Data Protection Regulation (GDPR) has been called ‘the biggest change to data privacy for more than two decades’, but what exactly is it and how will it affect those working in IT?
It won't be coming into effect until May 2018, which may seem like a long way into the future, so much so that the UK may not even be in the EU by then, but it could have big changes for companies so you need to start thinking about it now.
Under the new legislation, the EU hopes to make it even clearer that it sees data protection as a fundamental human right and one that businesses need to respect. The internet has meant that data can seamlessly move across borders, which has posed problems for previous laws surrounding data.
The GDPR aims to give individuals control over their personal data, while also making sure companies respect this with how they collect data. It will mean that businesses have one set of guidelines to abide by, rather than sometimes conflicting country laws.
Any country that does business in the EU or monitors the data of people who live within it will have to comply with the GDPR.
What's at risk?
There is a two-tier penalty system for businesses that breach the GDPR, which can both be enforced by the local data protection authority. The first tier can give companies a fine of up to €10 million or two per cent of their global turnover, whichever is higher. The second tier allows for penalties of twice this and will be for offences like violations of a person's new individual rights or failure to obtain the right form of consent. It will be up to the local authority to decide which tier the offence in question falls into.
What do companies need to do?
Most of the aspects of GDPR require companies to analyze the information and data they collect from consumers, and be responsible about how they get consent and share it, if that's what they do. If businesses are storing data, they'll need to make sure the right protections are in place to protect privacy. It's all about being aware of what information you are collecting, how you are collecting it, and what you are doing with it.
The main part of the GDPR focuses on ensuring you get informed consent from any individual which you are collecting data from. It must be done before any information is taken and be clear and transparent.