From 25th May 2018 the law is changing to protect EU individuals’ personal information and to enhance the rights of data subjects to prohibit un-authorised use by organisations. Additionally, there are a number of key changes relating to the General Data Protection Regulation (GDPR) that have been outlined to ensure that all businesses that process, store or use personal data comply with the obligations set out within GDPR. As such, listed below is all you need to know regarding the upcoming GDPR switch, so whether you’re a business owner or consumer you should be aware of the changes that become enforceable from 25th May 2018.
OBJECTIVES OF GDPR
- Give back control of personal information to EU residents.
- Ensure companies are looking after personal information.
- Protect EU resident’s data outside of the EU.
Sidenote: This will also affect employees too!
Previously EU data protection laws only affected companies in the EU. Now GDPR will impact any company that processes any information about any EU resident. For example, if a website visitor from England buys a product from America, the American company will still be liable and must comply with GDPR, even though they are not in Europe.
A written warning is issued before fines are imposed for unintentional breaches. After this written warning, fines for not complying with the new data protection legislation have increased massively to deter non-compliance. The maximum fine is now 4% of annual global turnover or 20 million euros (whichever is greater). There is a tiered approach to fines and the severity will vary depending on the breach.
Getting consent to store personal information has been changed. The terms and conditions for sign up can no longer be long winded or contain complicated language. It must be simple to read and understand. Also, it must be as easy to give consent to store information as it is to withdraw consent.
DOUBLE OPT IN
It is compulsory to get consent from EU residents twice when requesting their details. This will mean getting consent on the website AND via email.
Any breaches of data must be reported within 72 hours to the appropriate bodies, this will include hacks or leaks. Also, the individuals whose information has been compromised must be informed within this timeframe.
RIGHT OF ACCESS
Individuals can ask to disclose what information the company has on them, how that information is used and for what purpose. Also, on request, all the information stored on any individual must be copied and sent out to them free of charge.
RIGHT TO BE FORGOTTEN
On request, all information stored on an individual must be removed and no further data processing will be allowed without the explicit consent of the individual.
All data given to the client must be provided in an easily accessible format.
The amount of data collected from an individual should match what the information will be used for. For example, if someone signs up to a newsletter, then it is unlikely that the company will need card details or address etc. This is to stop companies harvesting information.