Come May 25, 2018 a new data protection regulation will apply across the EU and UK. The new General Data Protection Regulation (“GDPR”) will be replacing the old Directive 95/46/ec and is said to be the toughest data protection law globally.
The scope of the GDPR will expand to the point of leaving almost no business in Europe unaffected. All EU companies will have to abide by the law, but also companies that process the data of EU subjects will have to abide by it too or otherwise pay hefty fines. Companies, government agencies, NGOs or any type of company that collects and/or analyzes data are going to be subject to the law. With the approaching deadline, companies around the globe are scurrying to be in compliance.
The main aim of the law is to safeguard people’s personal data by giving them control over it. How is that going to happen?
Introduction of a variety of new rights that include the right to be informed, the right of access, the right of rectification, the right to restrict processing, the right to object, the right to be forgotten (erasure) and most interestingly the right to not be subject to automated decision making. The latter is particularly a topic of debate in the legal field in terms of determining liability in machine profiling for purposes such as sorting out job applications or accidents of auto-vehicles.
Making it a requirement that breaches be reported to the authorities within 72 hours of its occurrence. The officers must also send notification of the breach to the individuals impacted without delay. Depending on the seriousness of the breach, companies may pay up to 20million euros, or 4% of their annual turnover, whichever greater. Other, less serious breaches may cause companies up to 2% of their turnover. Put simply, companies won’t be able to take the GDPR lightly as the compliance bar is high and damages will not only reach their pockets but also inevitably ruin their reputation.
Even the form of consent is specified by the GDPR. It cannot be assumed anymore, and it most importantly must not be ambiguous. Forms of consent must be precise, clear, concise and easily understood. No more hundreds of pages of legal or technical jargon that no one comprehends or cares to read. Individuals will also have the right to withdraw it at their will.
The prize to be sought is twofold, the empowerment of EU citizens in respect of their private data and the harmonization of rules within and beyond Europe.