What to Know About the New EU Data Protection Legislation
With the General Data Protection Regulation (GDPR) due to come into force in May 2018, the European Union (EU) has shaken up data protection practices – and created a blueprint for responsible data practices that organisations around the world can learn from.
Data protection enforcement, accountability is key
The changes strengthen individual privacy rights and increase data protection enforcement, according to UK Information Commissioner Elizabeth Denham. They’re also aimed at “inspiring public trust and confidence”.
A survey earlier in 2016 showed that only one in four adults trust businesses with their personal data.
Accountability is key, said Denham.
“It’s your job and your company’s job to understand the risks you’re creating for others, and to mitigate them,” she said. This entails investing in privacy fundamentals from the outset.
“Wherever you are in the world, the themes of good data protection legislation are the same – consumers have the right to know what’s happening with their information combined with business transparency and accountability.”
The new data protection legislation also extends beyond EU borders. The rules apply to any country and organisation that does business with an EU country.
What are important aspects of the new data protection legislation
Businesses must obtain explicit consent to use an individual’s data. There also has to be a legal basis for holding and processing personal data.
The new ‘right to be forgotten’ means anyone can get their personal data corrected or removed from the internet if it’s inaccurate or outdated.
Higher fines for non-compliance:
Organisations that do not comply face substantially increased fines (the higher of up to 4% of their global turnover or €20 million).
Leadership in data security:
Leadership in data security is necessary. Companies may have to employ a data protection officer (dependent on the size of the company). The data protection officer will be in charge of keeping servers, systems, protocol, and privacy up-to-date in the organisation.
Transparency how data is used:
Companies have to be more transparent about how they are using data. Maintaining internal data protection policies and procedures is required. Companies will have to be able to show how they are complying with the legislation in terms of mechanisms, policies, and systems that help achieve compliance.
Notification data breaches:
Notification of data breaches is required within 72 hours of learning about a breach. Data breaches and investigations must be documented. The willful destruction or alteration of data is considered a breach and theft. (This should be part of a comprehensive Data Breach Response Plan.)
Scheduled professional information destruction:
A company will have to delete data if it is no longer used for the purpose it was collected or if the individual revokes consent for the company to hold it. The industry gold standard is to have scheduled professional and secure destruction services for both paper and electronic data.