The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council, will replace the Data Protection Directive 95/46/EC in spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. And it’s the biggest shakeup to data protection since the UK’s 1998 Data Protection Act.
The new rules will come into force in May 2018, and early indicators suggest that many businesses aren’t ready. According to one study, around 3.2 million small companies in the UK don’t have plans in place to ensure they are GDPR-compliant. This could be a risky move, as failure to comply with the new rules can result in a fine equal to 4% of annual global revenue or €20 million, whichever is greater.
If your company is not based in Europe but you have clients who are citizens of Europe, your company is required to be compliant.
What Is GDPR?
Personal data is considered to be anything which can be used to identify a person—and this might include full names, email addresses, postal addresses or demographic information. We give up personal data every day, and we rely on companies to do the right thing with our data, to not be negligent.
With GDPR, we have greater rights over our personal data. We’ll have the right to access and change the information that companies hold on us. Meanwhile, companies are required to be more transparent about how they handle and process data. The policy update is said to demand a cultural shift within companies rather than a simple change to way they collect data.
How Will Data Protection Change?
Under the new laws, customers will have the following rights:
- The right to be informed
- The right to access data
- The right to change data
- The right to erase data
- The right to object to processing
- The right to move their data record
- The right to object
- Rights with regard to profiling and automated decision making
Companies will have to be a lot more open about how they collect, store and process data. There will also be harsher punishments for companies that fall foul of data breaches.
So, How Can Companies Prepare for GDPR?
Every company should carry out a GDPR audit. Consider taking these steps:
- Review your password protection protocol for accessing customer information
- Encrypt any devices that hold customer information
- Encrypt any devices that allow you to access customer information remotely
- Conduct an information audit to determine where the information you currently have is from
- Review how you obtain consent from users to collect, store and process their data
- Consider how you will handle requests to view, change, move or erase data
The vast majority of companies won’t have to make too many changes. These changes are intended to manage dishonest companies while also providing responsible companies with more sophisticated guidelines.
The infographic below, produced by Caunce O’Hara, highlights the key changes that companies will need to be aware of. It also highlights how these changes will benefit companies and their customers.