74 days to go…
74 days until the new General Data Protection Regulation comes into force, businesses around Europe are beginning to speculate what this will mean for them and evaluating how they will need to begin to mould and adapt to the new changes in the law. Knowing how your organisation will be affected and preparing in advance is essential.
The new law will come into force on the 25th May 2018. It was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the union approach data privacy.
The previous Data Protection Directive
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. The Data Protection Directive was originally formulated 20 years ago after the European Community felt the need to align data protection standards within member states in order to aid the facilitation of cross-border data transfers. The reason the European community needed such a Directive was due to there being varying levels of protection within each member state, failing to offer a form of legal certainty. The Directive was therefore adopted in 1995 to safeguard the protection of individuals with regard the processing of personal data and to facilitate the free movement of personal data.
Why did the law need to be changed?
The main issue with the original Directive was that it did not live up to its objectives of ensuring there was harmony between member states. The Data Protection Directive wasn’t capable of immediate transposition into domestic law due to its nature and therefore required implementation by each member state. This implementation requirement allowed for discrepancies between the states subsequent enacted laws, which was the main issue the directive set out to try and alleviate. Despite its attempts to bring about a sense of harmonisation by providing a guideline in which states could follow, major differences still arose.
The continuing legal uncertainties which emerged as a consequence of diverging domestic laws constituted an obstacle to the pursuit of economic activities at EU level. Suggesting that a change in the law was more than overdue. A directive differs from a regulation in that whilst directives set minimum standards to be followed by states, regulations exist as laws themselves without the need of enacting extra additional legislation.
What is the GDPR?
The new GDPR has been described as the ‘most significant data security in the world’ and ‘the latest step in the ongoing global recognition of the value and importance of personal information.’ It is DIRECTLY applicable to all member states. The GDPR extends the territorial scope of Europe’s data protection regime to organisations outside the EU that do not currently fall within the scope of the Data Protection Directive. This essentially means that it now includes organisations outside of the EU when the processing of personal data is related to the offering of goods or services within the Union. Article 3(2) provides for such extension.
Extensive debates on how to improve data protection meant the GDPR took 4 years to prepare before being finally approved by the EU Parliament on the 4th April 2016.
The GDPR essentially requires all data controllers and processors that handle the permanent information of EU residents to:
“Implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
It is divided into two broad sections. The first section comprises the recitals which provide context and direction. The second section comprises the articles, setting out specific requirements which must be complied with.
GDPR also gives individuals more power to access information that’s held about them. users to ask businesses or organisations to gain access to their personal data. Requests for personal information will be free-of-charge.
Individuals will have the ability to ask for their personal data to be wiped where there is no compelling reason for its continued processing. This is referred to as the ‘right to be forgotten’. The GDPR has extended the Data Protection Directive by calling for social media companies such as Facebook and Twitter to delete posts made by children (on request) regardless of age at the time of the request. This is because a child (person under 18 years old) may not have been fully aware of the consequences of the data processing at the time consent was given.
Other interesting points
- Users will have the ability to move, copy or transfer data between organisations.
- Users will have more rights to claim compensation for breaches suffered. The Information Commissioner’s Office will have the power to levy fines of up to EU10 million or 2 percent of a company’s global turnover.
- The definition of ‘personal data’ will stretch to include IP addresses, biometric data, and cookies.
- New criminal offences will be available, including intentionally or recklessly re-identifying individuals from anonymised data, altering data that has been requested by an individual, and unlawfully obtaining or disclosing personal data without consent.
How will it affect you?
Both major companies and small to medium enterprises will be affected by the new regulation. The new rules provide users with more control, taking the power away from businesses by preventing them from using data freely for their own benefit. Tighter regulation also means more potential for fines on the horizon. The GDPR requires organisations to know exactly what data they hold and where it is located, meaning a full information audit should be put in place in preparation for the 2018 deadline.
For any advice on how you and your business can prepare for the new rules, we recommend you visit the Information Commissioner’s Office guide to Preparing for the GDPR.
This blog post was written by Laura Howarth and Charlotte Jones.
Laura is a final year MLaw student at Northumbria University. After graduation Laura would like to gain a work and study visa in Australia before returning to the UK to hopefully secure a training contract. Laura’s interests outside of law include travelling, cheerleading and human rights.
Charlotte is a final year MLaw Student at Northumbria University currently working in one of the Business and Commercial firms in the Student Law Office. After graduation Charlotte wishes to pursue a career as an In-House Lawyer. Charlotte has a keen interest in travelling abroad and hopes to visit Thailand, Vietnam, Bali & Australia.