An agreement was reached on the draft EU General Data
Protection Regulation (GDPR) at the end of 2015, and it signifies the dawn of momentous
changes to privacy law: the biggest changes in two decades.
Data protection seems never to be out of the news, and
it is certainly an area where new legislation is being introduced on a regular
basis. It is important however to take good note of this latest Regulation,
because it is set to have a huge impact for any business that operates in the financial
services, transport, energy and water or health sectors. Search engines, cloud
computing providers and internet payment operators will also be affected.
Now is the time to start preparing if your business
falls under any of these categories, because there is much to do. Risk
assessments will need to be adjusted to accommodate the new rules and, as head
of data privacy at PricewaterhouseCoopers Stewart Room says, “Most companies will be shocked at the scale of the new rules
and the work that needs to be done before the laws take effect in two years –
it is not much time for the magnitude of the internal changes that will be
required.”
There are still fine details to be confirmed, but in
the meantime, you should make yourself aware of the following key points of the
GDPR:
- If your company breaches data rules in a serious way then you will need to report the incident to regulators within 72 hours.
- If your business if found to be in breach of the GDPR then it will be fined up to 4 per cent of its global turnover.
- If you handle significant amounts of data then you will be required to appoint a data protection officer within your business.
- Consumers will have the right to request that their data is transferred from one company to another, so that their preferences and order history are made available to them through their new supplier.
- A consumer’s right to be forgotten will no longer be limited to search engines. It will now extend into their entire web history, allowing permission to request total removal from any online platform and its history trail.
The GDPR is likely to become EU law in the early part of
2016. A two year grace period will precede enforcement. Even if your business
does not fall into one of the GDPR governed categories, it is still vitally
important that you are fully aware of all the legislation that applies to your
business, especially considering the new powers held by the InformationCommissioner’s Office (ICO) concerning the use of data in telemarketingcampaigns.
