What is the GDPR?
The General Data Protection Regulation (GDPR) is the most important change in data privacy regulation since the Data Protection Directive 95/46/EC which was adopted in 1995. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in a progressively data-driven world. After four years of various discussions and debate the GDPR was approved by the EU Parliament in April 2016 and will officially come into force on 25 May 2018. Unlike the preceding Directive, the GDPR will be immediately enforceable in all EU Member States without the need for domestic implementing legislation.
Does the GDPR apply to me?
With the new Regulation, all companies processing personal data on EU citizens, even when companies are not registered in the Union but are servicing individuals in the EU zone must make sure to follow the GDPR. Whereas with the Directive there where several ambiguities on territorial applicability, with the coming into force of the GDPR, even Non-EU businesses offering goods or services to individuals residing in Europe, irrespective of whether a payment is required and regardless of whether the processing takes place in or outside of the EU, they will need to comply. This means that several controllers and processors which currently fall outside the Directive will now be subject to EU data protection law.
Main differences between the GDPR and the Data Protection Law
Increased territorial Scope: The GDPR makes its applicability very clear; it will apply to all companies processing personal data of subjects residing in the EU, regardless of the company’s location.
Penalties: The most significant change to the rules governing data protection is the carrying of fines of up to 4% of global turnover or €20 million, whichever is higher, for businesses that do not comply. This is the maximum fine that can be imposed for the most serious infringements.
Valid Consent: The consent of a data subject for the processing of his / her personal data must be freely given, specific, informed and unambiguous; Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Breach Notification: Where a data breach occurs, organisations must notify the national supervisory authority within 72 hours of first becoming aware of such breach. Data processors will also be required to notify their customers, “without undue delay” after first becoming aware of a data breach.
Right to Access: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way; This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten: Also known as Data Erasure, the right to be forgotten empowers individuals with how their personal data is utilised and when they want organisations to stop using their data and when it is no longer relevant.
Data Portability – The right for individuals to request their personal data collected by one service provider and transfer it to another service provider.
The GDPR should not be perceived as a threat for businesses, but more of an opportunity to understand that the personal data held within the company is an asset as well as a liability. An opportunity to focus on updating current processes and making sure to implement the GDPR’s accountability principle in your day to day activities. As of the 25 May 2018 businesses will be required to demonstrate, on an ongoing basis, how personal data is collected, used, retained, disclosed and destroyed as per the GDPR requirements.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice.