The New General Data Protection Regulation – What It Means for Your Business
In May 2017, a new EU Regulation addressing data protection entered into force. The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 will be enforceable from May 2018. It is the first major development in information protection in 20 years. It was designed to address the changes to the use of personal information in the internet age and to harmonise the existing and diverse data protection laws throughout Europe.
The Need for New Regulation
The development of new legislation to address data protection needs has been on the cards for some time. The requirement for this has been seen in Ireland with reports from the data commission stating that a record high was observed in 2016 with almost 1,500 complaints. Several controversies surrounding data breaches in prominent global companies such as Yahoo have been observed.
Other accidental leaks and a series of fraudulent hacking incidents exposing highly confidential information have also fuelled the necessity to revise the legislation. Such as that of LinkedIn in which 117 million passwords were sold by hackers. This article will look at some of the key features of the new Regulation. Their impact on businesses both inside and outside the EU has been focused upon as well.
General Data Protection Regulation & It’s Impacts
The GDPR offers increased power to the individual over what happens to their personal information. Furthermore, it gives greater power to authorities to take legal action against businesses who misuse data and are in breach of the law. It will require organisations across the EU to restructure their approach of data usage as it empowers individuals to have more control over their personal information.
One of the key aspects of the new legislation is that it will be compulsory for companies who process data to ask for consent from the user. It should be in the form of a clear, legible and coherent request form. That is in case they are to proceed in using their information. The days of being hit with long, densely packed legal jargon before clicking “accept” are over. The right to be forgotten, de-listed and erased from records will also come into play. Though it remains to be seen in practice how challenging a feat for individuals this may prove to be if, for example, it is to be a website-by-website task. Nonetheless, it will be a legally enforceable entitlement.
Another significant impact that the new law will bring is that of the penalties inflicted on businesses if breached. Organisations will face fines of up to 4% of GDP or €20 million (whichever is greater) if found guilty of some of the more serious infringements, such as lack of sufficient customer consent to process data. Furthermore, the right to sue companies for material and non-material damage arising from the use of personal information applies to the data subjects.
Perhaps the biggest change that the GDPR will bring to personal data legislation across Europe is the scope, which has now been extended to include all organisations who process data of subjects who are residing in the EU. This is regardless of the location of the company, squashing previous ambiguity over territorial applicability. Additionally, it makes clear that the scope includes the processing of personal data of EU citizens who are living outside of the EU.
Personal Data & The New Regulation
The definition of “personal data” has also incurred some tweaking. While the 1995 Directive defines it as,
“any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”
The new Regulation extends the definition to,
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
This now allows for both location and online identification to be branded as personal data as well as genetic information. The older Directive did not include these explicitly.
So what is the bottom line for businesses? Fundamentally, the GDPR provides increased power to the individual or data subject over the use of their personal information. Also, it assigns significantly more duty and accountability on the businesses and online platforms processing that data. It requires organisations to implement well-organised information strategies, polices and governance if it is to work within the legislative framework and avoid hefty monitory penalties. The newly enlarged control assigned to the individual as well as the obligations on the organisations using their data is setting up a future of a lot more transparency surrounding the matter of personal data processing. In addition, has the potential to have a substantial impact on industries who rely on data trading for profit.
 Article 2(a) of the EU Directive 95/46/EC – The Data Protection Directive
 Article 4(1) of the Regulation (EU) 2016/679 – The General Data Protection Regulation
QP Tech Breakfast Briefing