Just like the dragon guarding it’s pile of gold, the EU is once again updating it’s data protection laws to help protect your details and data.
In 1998, the EU released the Data Protection Directive, designed to help keep personal and corporate data safe in a world that is becoming more interconnected every day. Merely fifteen years later, the Data Protection Directive was already found to be lacking, and unable to keep up with the changes in technology. As a result, and after four years of deliberations, the EU announced the General Data Protection Regulation (or, GDPR, as catchy acronyms go) would be adopted in April 2016. At the time it was agreed there would be a two-year implementation period, and so the regulation actually comes into effect in May 2018.
The GDPR was designed to help bring data privacy laws from across Europe into sync with each other, to protect citizen data privacy, and to force organisations into redefining their approach to data privacy. The GDPR doesn’t just affect EU-based companies though. Any company that trades with an EU-based entity, whether personal or professional, must respect the GDPR.
If they fail to uphold the General Data Protection Regulation, then companies can be fined up to €20 Million, or 4% of their annual global turnover, as a maximum fine for the most severe breaches – not having customer consent to process their data, for example. There is a tiered plan to the fines, so something with a lesser severity might only be fined 2% of the company’s annual global turnover.
So what counts as customer consent to permit companies to process your data? While it used to be a case of a little checkbox with dubious phrasing in legalese that you checked (or not), now it has to be a bit more explicit. Consent must clear and distinguishable from other matters, and must now be provided in an intelligible and easily accessible form. Any ambiguity could leave your company open to potential fines. It must also be as easy for a customer to remove consent as it is for them to give it.
The GDPR will also introduce an age factor into processing personal data. Now, there needs to be parental consent for sites and businesses to process details of children under the age of 16. There is some proviso in the Regulation that allows member states to alter the age of consent from 16 to 13.
The other aspect of the GDPR that could directly impact your business is an expansion in the roles of Data Protection Officers (DPO). If your company falls into one of three categories, you need a DPO. Outside of these categories, a DPO is not necessary. The three categories are:
- Public authorities – Government agencies, for example.
- Organizations that take part in large scale systematic monitoring – such as online behaviour tracking.
- Organizations that take part in large scale processing of sensitive personal data – ie, credit reference agencies.