EU General Data Protection Regulation – The Key Changes
- 4th January 2018
- Benjamin Jones
- No comments
Major changes to data protection law will be coming into effect in May 2018. The EU General Data Protection Regulation (GDPR) will be introduced with the intention of strengthening data protection for individuals within the European Union (including the United Kingdom).
These are some of the significant changes:
Broader definition of ‘personal data’
The new regulation has broadened the definition of ‘personal data’ to include certain online identifiers (IP addresses, cookies etc.). This ensures the regulation is up to date with modern technology, and data which was previously obtained freely by organisations is now regulated by law.
It is advised that organisations only gather, store and retain the personal data that they absolutely require. Organisations will have to prove their reasoning for acquiring the personal data and ensure any additional information is not stored at all.
Increased financial sanctions
Organisations that fail to comply with the new data protection laws could face substantial sanctions. The maximum fines have increased and will act on a two-tier basis depending on the nature of the breach: up to 2% of annual worldwide turnover or €10 million (whichever is greater) or up to 4% of annual worldwide turnover or €20 million (whichever is greater).
Consent must now be ‘unambiguous’ to comply with GDPR. To ensure this is achieved, GDPR requires individuals to signal consent by a statement or clear affirmative action. Such activity would include a positive action like ticking a box. As a result, previous methods of obtaining and assuming consent such as silence, inactivity, pre-ticked boxes and requirements to only opt-out will become inadequate.
Enhanced rights of individuals (data subject rights)
GDPR pledges to give individuals more control over who can store their data and how it can be used. To achieve this, GDPR strengthens a number of existing individual rights as well as introducing a number of new rights.
Some data subject rights include the right to be forgotten (have personal data rectified, blocked or erased), the right to object to processing, the right to non-automated decisions (prohibits wholly automated decisions including profiling) and the right to claim (compensation for damage suffered as a result of a breach of the Regulation).
New obligations for organisations
The principles remain similar to the old directive, although added detail has being included at certain points. The most significant addition is the accountability principle. GDPR requires you to evidence and prove how you comply with the principles. Certain organisations will have to appoint a nominated ‘Data Protection Officer’. Organisations will also be obliged to carry out data protection impact assessments, implement data protection policies and report breaches within short and specific timeframes.
If you have any queries over the points raised or seek advice regarding how best to prepare your organisation for the new General Data Protection Regulation, please contact Karl Thomas today.
Call: 029 2022 4433