The General Data Protection Regulation (GDPR) changes how companies can gather and manage data in the EU. The last laws governing how people’s data should be handled were drawn up almost two decades ago, so it’s clear to say a lot has changed since then. The new laws come into effect May 25 2018.
If you’re wondering about what will happen to the UK after Brexit, a new Data Protection Bill was put forward in 2017 which essentially replicates the rules set out in GDPR. Much like the conditions of GDPR, the Data Protection Bill outlines penalties for non-compliant organisations, as well as the issuing of fines.
What is GDPR?
The GDPR is an EU regulation that replaces the previous 1995 EU Data Protection Directive and its UK specific application, the 1998 Data Protection Act.
Under previous legislation, companies followed a soft approach, allowing storage of personal data and operating under “implied consent” regarding gathering data from users. However, the new GDPR laws are much stricter and aim to more concisely lay out requirements and penalties for failing to meet them. With this new law, it must also be obvious to users if their data is being collected and they must be presented with an option to not have their data collected.
Why was the regulation drafted?
The GDPR legislation has been in the works for the last four years and is in response to the changing nature of the modern digital world. The 1995 Data Protection Directive comes from a time when the internet was still not common in many homes, and many problems and concerns that have arisen since then have prompted a need for change.
The recent Cambridge Analytica scandal is a prime example of why stricter data control laws are required. Cambridge Analytica is reported to have harvested information from over 50 million Facebook profiles to help both the 2016 US Presidential election and the 2016 Brexit referendum.
How will the GDPR affect businesses?
The GDPR affects almost all ways that a business can gather and use user data, as well as a user’s rights regarding that data.
- Failure to comply with the new regulations carries a fee of €10 million or 2% of the company’s global turnover (whichever is higher). Companies can also be charged up to €20 million or 4% turnover for more serious consequences.
- Companies are responsible for reporting any data breaches and must do so within 72 hours.
- Implied consent, particularly mechanisms such as already ticked boxes in forms and actively having to opt out, is no longer permissible. Double factor opt-in systems are now required, where users first must sign up for marketing communications then further confirm through email. Records of gathered consent must be kept and can be revoked at any time by the user.
- Personal data is now more clearly defined and includes such items as bank details, IP addresses, medical records, social media usernames and posts, and photos.
- Data may only be collected and used for clearly defined purposes, with consent for this given by the user. Once the stated purpose has been completed, the data must be deleted.
- If requested, the user is to be given access to their data free-of-charge. Presently, a Subject Access Request (SAR) costs £10.
- Any data collec