November 08, 2016

What Everyone Should Know About the New EU Data Protection Legislation

With the General Data Protection Regulation (GDPR) due to come into force in May 2018, the European Union (EU) has shaken up data protection practices – and created a blueprint for responsible data practices that organisations around the world can learn from.

The changes strengthen individual privacy rights and increase data protection enforcement, according to UK Information Commissioner Elizabeth Denham. They’re also aimed at “inspiring public trust and confidence”.

A survey earlier in 2016 showed that only one in four adults trust businesses with their personal data.

Accountability is key, said Denham. 

“It’s your job and your company’s job to understand the risks you’re creating for others, and to mitigate them,” she said. This entails investing in privacy fundamentals from the outset.

“Wherever you are in the world, the themes of good data protection legislation are the same – consumers have the right to know what’s happening with their information combined with business transparency and accountability.”

Despite the implications of Brexit, the government has confirmed that the UK will be implementing the GDPR. During a recent speech, Secretary of State Karen Bradley said, "We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

The new data protection legislation also extends beyond EU borders. The rules apply to any country and organisation that does business with an EU country.

Here are important aspects of the new data protection legislation:
  • Consent: Businesses must obtain explicit consent to use an individual’s data. There also has to be a legal basis for holding and processing personal data.  
  • Right to be forgotten: The new ‘right to be forgotten’ means anyone can get their personal data corrected or removed from the internet if it’s inaccurate or outdated.
  • Higher fines for non-compliance: Organisations that do not comply face substantially increased fines (the higher of up to 4% of their global turnover or €20 million). 
  • Leadership: Leadership in data security is necessary. Companies may have to employ a data protection officer (dependent on the size of the company). The data protection officer will be in charge of keeping servers, systems, protocol, and privacy up-to-date in the organisation.
  • Transparency: Companies have to be more transparent about how they are using data. Maintaining internal data protection policies and procedures is required. Companies will have to be able to show how they are complying with the legislation in terms of mechanisms, policies, and systems that help achieve compliance.
  • Notification: Notification of data breaches is required within 72 hours of learning about a breach. Data breaches and investigations must be documented. The wilful destruction or alteration of data is considered a breach and theft. (This should be part of a comprehensive Data Breach Response Plan.)
  • Information destruction: A company will have to delete data if it is no longer used for the purpose it was collected or if the individual revokes consent for the company to hold it. The industry gold standard is to have scheduled professional and secure destruction services for both paper and electronic data.