The GDPR compliance deadline for European Union member states is fast approaching, with many tech companies updating their data protection for the 21st century in order to effectively replace the Data Protection Act 1998.
The General Data Protection Regulation has been formulated to ensure that organisations like Google and Facebook follow stricter rules and regulations amid concerns over how private data is collected and shared.
This concern was exacerbated after the 2016 US Election which led to Facebook CEO Mark Zuckerberg having to sit down before Congress to discuss the Cambridge Analytica scandal.
The GDPR, General Data Protection Regulation, compliance deadline is fast approaching
With over 87 million users estimated to have had their data mined through the ‘This Is Your Digital Life’ quiz, it has also emerged that private Facebook Messenger conversations may have also fallen into the hands of Cambridge Analytica. But what is GDPR?
What is GDPR?
The General Data Protection Regulation has been created over the course of four years in order to strengthen data protection in an era in which people are continuously giving social media websites permissions to use their personal information in exchange for ‘free’ services.
GDPR will be replacing the Data Protection Act 1998, which itself was brought into law so that the 1995 EU Data Protection Directive could be implemented and give people more control over how organisations use data.
The regulation also introduced penalties for those who do not comply with the new rules and in turn, suffer from data breaches. It also standardised all data laws across the European Union.
A significant change in the new regulation is that if companies fail to provide adequate security to protect data, they could be fined heavily under GDPR.
Why do we need GDPR?
The advent of the Internet and the emergence of the cloud led to organisations being able to use personal user data for their own purposes, which caused problems when individuals wanted to know how their information was being used.
GDPR was planned because of the EU’s need to align data protection law with the 21st century, a time where people use free services like Amazon, Google, Twitter and Facebook and offer their information openly.
Alongside this, the EU wanted to align data protection law across all member states so that companies are clear about what they need
to comply with.
The General Data Protection Regulation will apply from May 25, 2018 in all EU member states
When will the GDPR be implemented?
The GDPR will apply from May 25, 2018 in all EU member states automatically, without the need for each country having to draw up their own legislation.
While businesses have until May 25 to ensure they have applied the new rules, the directive came into force on May 24, 2016 after the EU agreed to the final text.
Who does the GDPR apply to?
GDPR will apply to those who decide how and why personal data is processed, the controllers, as well as those who actively process the data, otherwise known as the processors. This means that GDPR could apply to anyone working in a company, charity, government or IT firm.
It will also apply to controllers and processors that are based outside the EU, but deal with data that belongs to EU residents. Controllers are responsible for ensuring that processors abide by the new law and process data lawfully, who themselves are required to maintain records of their activities.
After the GDPR is put in place, data must be processed with consent and transparently, for a purpose and once it is no longer needed, data should be deleted. Alongside this, consent must be granted in an active fashion by the user, not passively with pre-ticked boxes.
What is personal data?
Under the GDPR, the European Union has expanded the definition of ‘personal data’ to include other online identifiers such as IP addresses, mental health, cultural and economic information about an individual.
Individuals already have the right to access information that a company has obtained and to know how and why their data is being processed, as well as who will see it. Data can also be rectified, changed or deleted at any time by the person it belongs to.
The European Union has expanded the definition of ‘personal data’ to include other identifiers
How much are GDPR fines?
When a data breach occurs, the people who are at risk of being affected must be told within 72 hours of the company being aware of it. Those who do not meet this deadline could face a penalty of two per cent of their annual worldwide revenue, or €10 million (£8.7m), whichever is higher.
Then, the data protection authority should be contacted and in the UK, this means the Information Commissioner’s Office, or the ICO. The authority should be given information about the nature of data breach, how many people have been affected, what the consequences could be and what measures have been actioned.
If people’s rights are ignored, the fine could reach up to €20 million (£17m) or four per cent of your global annual turnover, whichever is higher.
Does Brexit affect GDPR?
With Article 50 being triggered in March 2017, the UK has two years in which to leave the European Union, but this means that the GDPR will be implemented before this time.
In August 2017, the UK government put forward a new Data Protection Bill, which replicates the requirements of GDPR ahead of Brexit. The new bill allows the ICO to issue fines of up to £17 million, or four per cent of global turnover, whichever is highest.