The EU General Data Protection Regulation (GDPR) is a regulation in European Union law that was adopted in April 2016 and will become enforceable from May 2018 following a transition period of two years. It addresses data protection and the privacy of individuals within the EU and the export of their personal data outside the EU.
Its main aim is to give control back to individuals within the EU over their personal data as well as to unify regulation within the EU.
The GDPR legislation replaces the Data Protection Directive 95/46/EC and will affect any companies processing or storing personal data of those in the EU. The main changes and how they affect data storage are briefly discussed below.
Main changes in Legislation
Probably the biggest change is the extended jurisdiction of the GDPR. It now applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s own location. The directive was more ambiguous and referred to data process ‘in context of an establishment’.
With regard to penalties, organisations breaching the regulations can be fined up to four percent of their annual global turnover or twenty million euros (whichever is higher). There is a tiered approach to penalties which culminate in this maximum fine. This applies to both controllers and processors, so ‘clouds’ aren’t exempt.
Conditions for consent are stronger and requests for consent must be given in an intelligible and easily accessible form. The purpose for data processing must also be attached to the consent and withdrawal of consent must be as easy as giving it.
Breach notification within 72 hours of becoming aware of the breach will become compulsory in all member states where it is likely to “result in a risk for the rights and freedoms of individuals”. Customer will also need to be notified “without undue delay” after data processors first becoming aware of a breach.
Data subjects have a greater right to access regarding whether or not personal data concerning them is being processed, where and why. They can also request a copy of this data in electronic format free of charge.
Under the GDPR data subjects also have the right to be forgotten, i.e. to have all their personal data erased and to stop it being circulated, including the right to have third parties stop processing their data.
Data subjects also have the right to data portability whereby they can receive the personal data concerning them, as previously provided in a “commonly used and machine readable format”, and can pass on that data to another controller.
Privacy by design is becoming part of a legal requirement with the GDPR. It calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition.
There are also important changes regarding Data Protection Officers, alleviating the bureaucratic ordeal required under the current directive.
There are very few companies who won’t be affected by the new GDPR legislation so it’s vital that you make sure you’re aware of exactly what is required from you regarding data storage and GDPR, as ignorance is not a defence. You can get the full picture at www.eugdpr.org.