The countdown is now on for businesses all across Europe to prepare themselves for the GDPR. The current 1995 data protection directive is due to be replaced in May 2018 by the General Data Protection Act (GDPR), the most significant data protection regulation change in 20 years. We have been busy preparing for it at SE Recycling, like most businesses across Europe. Although GDPR requires businesses to be a lot stricter in regards to their data, it will make it slightly easier for them to have to adhere to just one set of rules that cover all of the EU countries, rather than wading their way through each countries specific set of rules, resulting in making compliance simpler for businesses.
In short, GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union, it has been designed to enable individuals the power to better control their personal data. Not only this, but it also addresses the export of personal data outside of the EU, to third world countries, or to international organisations in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
At SE Recycling, it is important to us that our customers trust us to handle their data with care which is why we have been preparing for the change in law for the past few months to ensure that we are fully compliant with it. We have also been making sure that all of our staff are aware of the changes as well as having a full understanding of their general responsibilities which will allow implementation to run smoothly.
The biggest changes that businesses need to be aware of include:
- Under the new law, companies will be fully responsible for the collection, storage, and use of personal data and will have to ensure that they have in place data protection policies and impact assessments in addition the relevant documentation on how they process data.
- Consent will always be necessary for processing children’s data.
- The conditions for consent for all other data have been strengthened; the request for consent must be given in an intelligible and easily accessible form. Consent must be very clear and distinguishable from other matters and it must be as easy to withdraw consent as it is to give it.
- Data subjects will have a lot more control over their personal data, including the right to be forgotten.
- There are new requirements for data portability which will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system,
- New restrictions on international data transfers.
- Mandatory Data Protection Impact assessments will be introduced.
- Tougher penalties will be introduced for businesses that are in breach of GDPR, they can be fined up to 4% of annual global turnover.
- Any data breaches must be reported within 72 hours of initial awareness of the breach. Customers must also be made aware of any breach involving their personal data.
- Data subjects will be given the right to obtain information on whether or not their personal data is being processed, as well as the right to be forgotten.
Although it is still a few months away, GDPR will come into effect as of May the 18th and businesses need to ensure that they plan their security strategies in advance so that they have enough time to ensure compliance in time for then.