The biggest overhaul of data privacy regulation in the history of the internet comes into force one month from today.
From May 25 in the EU, the new General Data Protection Regulation (GDPR) will give regulators greater power to levy large fines on firms who mishandle data, as well as hand users new powers to access and control their data.
The new laws also strengthens the jurisdiction of EU regulators, with the new rules applying to all companies and data controllers who handle the data of EU citizens, regardless of where the company itself is based.
Technology and internet giants such as Google, Facebook and Apple will also face greater accountability under the laws – which require firms to report any data breaches likely to “risk the rights and freedoms of individuals” within 72 hours of first becoming aware of it.
The fines for violating the new rules are also significantly larger, with regulators able to impose penalties of up to 4% of annual global turnover or 20 million euro, whichever is greater.
It means multibillion-dollar companies such as the US tech giants could face unprecedented financial penalties.
The regulation is described by the EU as a way to ensure EU citizens’ privacy is protected in an “increasingly data-driven world”.
For users, the new regulation enshrines the right to access their data, including details on what data is being collect and for what purpose.
Many firms, including Facebook and Twitter, have already begun updating their privacy policies in order to meet these new transparency rules, and make it easier for users to see how their data is processed.
The right to be forgotten is also part of the regulation, entitling users to have a data controller erase their personal data upon the user’s withdrawing of consent.
However, there have been warnings about the readiness of smaller companies also expected to comply with the new rules.
Mike Cherry, national chairman of the Federation of Small Businesses (FSB), said some smaller firms may not be compliant by May 25 and has called the Information Commissioner’s Office (ICO) to be understanding in their enforcement of the new laws in the UK.
“As the GDPR deadline swiftly approaches, there is a real danger that many small businesses are yet to have adequately prepared for the changes,” he said.
“Fortunately, for these businesses, there is still time on the clock to start, or finish, their preparations.
“The GDPR is the largest shakeup of data protection laws for years, and whether you are a personal trainer or a consultant, most businesses will have to implement changes to their current practices to make sure they are complying with the new rules.
“Given the extent and the breadth of the changes, it is clear that a majority of small businesses will not be fully compliant before May 25 and will most likely not be compliant when the changes hit.
“With this in mind, it is critical that the ICO manages non-compliance in a light touch manner with the focus being on education and support, not punishment.”