Europe’s data protection rules are about to implement their biggest changes in more than twenty years. Existing policies created in the 90’s never contemplated the amount of digital information we create, capture, and store would reach the levels of what exists today. The mutually agreed upon European General Data Protection Regulation, or GDPR goes into effect on May 25 2018 and updates how businesses handle and process customer information; here are what the changes mean for your company.
GDPR replaces the 1995 data protection directive which current UK law is based on. The new regulation is designed to harmonize data privacy laws across Europe giving greater protection and rights to individuals. GDPR encompasses three big changes for the public and businesses that handle personal information.
There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, requirements to obtain consent via an opt-in mechanism before collecting data and a new regime of fines for non compliance.
Personal data and sensitive personal data are both covered by GDPR. Personal data generally means anything that can be used to identify a person such as a name, address or even an IP address. Sensitive personal data encompasses genetic information, details about political and religious affiliations, sexual proclivities, the list goes on.
Where GDPR differs from current data protection laws is that obfuscated or pseudonymised personal data can fall under the law if a person could be identified.
Companies covered by the GDPR will be accountable for their handling of people’s personal information including having data protection policies, data protection & impact assessments and having detailed documents on how data is processed and stored
For companies with over 250 employees need to have documentation explaining why people’s information is being collected, a summary of the information, how long it’s being stored and descriptions of technical security measures. Companies processing a large amount of personal information or reviewing it at high frequencies may need to hire or assign a Data Protection Officer or DPO to ensure compliance..
GDPR will have a varying impact on businesses when implemented, to help prepare for the start of GDPR, the ICO has created a 12-step guide which is available here.