New data laws come into force in Europe today, but how will the General Data Protection Regulation (GDPR) affect businesses and the general public?
What is GDPR?
The General Data Protection Regulation is a new, EU-wide law that gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.
For consumers, it brings new powers that require firms to obtain clear consent from users before processing their data, as well as grants users a right to easily access the data collected from them and transparency on how it is being used.
What are the key aspects of the regulations?
As well as those already mentioned, one key element is the increased jurisdiction GDPR gives regulators.
Under the new rules, any company that controls or processes the data of EU citizens must adhere to the GDPR guidelines, ending territorial-based accountability used by some firms not based in the EU to previously avoid sanction.
The law also states that notification of a data breach must occur within 72 hours of being first discovered, increasing transparency around such incidents.
The weight of fines able to be issued will also increase under GDPR. Regulators will be able to issue penalties equivalent of up to 4% of annual global turnover or 20 million euro (£17.5 million) – whichever is greater.
For tech giants such as Google and Facebook, this could mean the risk of fines running into the hundreds of millions.
Will it make a difference to business?
It already appears to be. Many large technology and internet companies have begun the process of making their data practices more transparent with the threat of large fines hanging.
Both Facebook and Twitter have been rolling out updates to their privacy policies, adding clearer language and description of data use, and offering more tools to users to share or remove their personal data from that platform, as is required by GDPR.
The recent Cambridge Analytica scandal has also increased public scrutiny on data use, with Facebook acknowledging it has received more questions from users recently on how it gathers and shares personal data.
Am I likely to be affected?
Yes. Whether you own a business, run a charity, or have signed up to newsletters via social media or online shopping websites, the GDPR is likely to impact us all.
The Act will give individuals easier access to the information that organisations hold about them – free of charge.
Currently, there’s a £10 fee for a Subject Access Request (SAR), which businesses and public bodies can charge in order to release any personal information. However, the GDPR means this will be scrapped and requests for personal information can be made free-of-charge and must be released within one month.
What happens if I ignore it?
Everyday users have to do very little to comply with GDPR – it’s more targeted at big online businesses.
Many people will have already noticed emails from organisations asking whether they still want to be on the receiving end of their mailing list and other information. However, these are not necessary in every case and if you have an existing relationship with a firm from which you have purchased products or services, you do not need to give fresh consent.