The General Data Protection Regulations came into effect on May 25th 2018, and have since had wide-reaching implications for many companies both within and outside the EU. The need for GDPR was clear; existing laws were not robust enough to deal with the rapid changes in technology. In January 2012, the European Commission set in motion plans to reform data protection laws across the European Union to make the law “fit for the digital age”. Individuals now store a huge amount of personal data online, and organisations that collect, use, process, and transport that data should be held responsible for its protection. The creators of GDPR sought to introduce regulations to reduce the risk of data theft to a minimum.
Any business or organisation that handles the data of people located within the EU, no matter where the organisation itself is located or if the person is an EU citizen, is required to comply with with the GDPR stipulations. Any organisation that is found to be non- compliant with GDPR is liable to be fined, again, regardless of their location. If your organisation handles any data collected from within the EU, it is recommended that you seek legal counsel to ensure that your practices are fully compliant with GDPR.
GDPR has brought about new standards on data protection; businesses that handle the personal data of individuals are now required to ensure that they have reasonable safeguards in place to protect that data. This includes the appointment of a Data Protection Office (DPO). The DPO’s roles include educating staff members on subject data rights, advising the organisation on data management and GDPR compliant, assessing IT networks and data security systems on their effectiveness, monitoring internal data compliance and cooperating with the Lead Supervisory Authority.
A significant proportion of GDPR’s text is dedicated to the outlining how organisations should respond to data breaches. GDPR requires organisations to notify Supervising Authorities (SAs) of breaches of personal data within 72 hours of their discovery. Individuals who have had their data compromised should be informed as quickly as possible of the breach.
Under GDPR, new rights are granted to individuals over their data. For example, should an individual request that a business erase all data that they hold on them, the business is required to do so (termed the “right to be forgotten”). Individuals may also request that an organisation transfer their data to another, competing service provider. Under GDPR, the organisation is required to comply with this request.
Organisations are now required to obtain explicit consent from individuals to add their email addresses to mailing lists; practically speaking, this means that a separate check- box must be ticked online in order for consent to be gained. This is one of the most visible ways in which organisations will change their practices to comply with GDPR to consumers.
It is important to note that not all GDPR requirements will apply to every organisation; for example, businesses with more than 250 employees are expected to be fully GDPR compliant, whereas smaller businesses follow different rules. It is vital that your organisation it fully aware of its responsibilities under GDPR; ignorance is not an excuse, and the financial penalties for non-compliance are substantial.