The privacy laws currently in force are based on the 1995 European Data Protection Directive. Each European member state has interpreted this law in its own way, which means the laws differ from country to country. In addition, this law is outdated as it does not take into account social media and cloud technology for example. To deal with this and to ensure a uniform European legislation, the General Data Protection Regulation (GDPR) was drafted.
GDPR officially came into force in May 2016 and provides a transition period for organisations with more than 250 employees until May 25, 2018. As of May 25, 2018, the new European privacy rules will apply to any organisation that uses personal data in all EU member states. All national laws concerning personal data will be immediately replaced by the GDPR. The European Privacy Commission will be authorised to monitor compliance with GDPR and to impose high fines for violations.
The new GDPR legislation is based on three key pillars:
1. Collection and use of personal data
The main key word regarding the collection and use of personal data is transparency. First, it must always be clear to the people you collect this data from which data is kept and how it is collected (cookies on the website, disclaimers and privacy notifications, double opt-in for email marketing, etc.).
Next, they must always be able to view their data. In addition, they also have the right to modify or delete this information. If the person whose data you collect has a good reason to change or delete their data, you must do so immediately and notify them when it is done.
Furthermore, the laws regarding the protection of minors have also been tightened. To process data from children younger than 16, explicit permission from a parent of guardian is needed according to the GDPR. The automatic processing of personal data such as interests, function and location, for example, is restricted to constrain prospection. In this specific case, the people have to be able to access their data at any time, so not just the contact details, but all the information the organisation has about that person.
2. Data transfer
The transfer of personal data will also be regulated more strictly by the GDPR. Anyone who shares their personal information must be notified when it is shared with third parties. Someone who collects e-mail addresses to pass on to third parties later on can now only do so with double opt-in, which means that permission must be asked twice before the information can be passed along.
In addition, individuals also have the right to request a transfer of their data to third parties. For example, if you change telecom operators or energy providers, you no longer need to transfer all the data yourself. You can now ask your current operator or provider to transfer the data, which must be done free of charge and within one month.
3. Security
The goal of the new GDPR is to improve the security of personal data. In order to further tighten security, organisations are now obliged to immediately report data leaks or if data is stolen. If the leak entails a danger to the collected personal data, they must notify the Personal Data Authority and the persons concerned within 72 hours.
In addition, organisations are also advised to appoint a Data Protection Officer (DPO), a specific employee who needs to ensure that all GDPR rules are complied with. In certain sectors that work extensively with personal data, such as direct marketing and prospection, but also the government, such a DPO is even mandatory.
Finally, the new GDPR also provides Data Protection Impact Assessments (DPIA). A DPIA is a privacy audit to investigate the way personal data is collected, processed and stored within an organisation. The goal is to identify (and later address) security risks.
Is your organisation ready for the GDPR, which will come into force on May 25, 2018?