23rd March, 2018
The new General Data Protection Regulation (GDPR) is being introduced on 25th May 2018. With the launch of this looming, many people are still confused as what to expect and look out for once these new regulations are in place.
Here is a brief overview of some of the changes which are coming our way shortly;
Penalties
GDPR brings with it large penalties for not conforming to the new regulations. If you were to have a security breach under the currently existing Data Protection Act your company could be met with a maximum fine of £500,000. Once the new EU GDPR regulations come into effect these fines increase to €20,000,000, or 4% of annual global turnover, whichever is greater.
GDPR User Rights
With GDPR comes more rights for users. One of these rights being the Right to Access, this gives to user the right to ask whether or not personal data concerning them is being processed, where and for what purpose. With this right the user will also have to be granted a copy of the personal data, free of charge, in an electronic format. As an eye opener to exactly what type of information is collected about yourself and how it’s used, it could be a worthwhile exercise to use your right to view this information.
A user can also use their right to be forgotten (also know and Data Erasure), if a user moves forward with this action, then as a business or organisation you would have to cease further dissemination of the data, and potentially have third parties halt processing of the data.
Remember, to save yourself from any unnecessary headaches, collected data should be adequate, relevant and limited. If the information you need can be achieved by collecting less data, do so.
GDPR Breach Notifications
Currently it can typically take two months to get to the bottom of a security breach, under the new regulations this timeline becomes much stricter. Businesses will now have only 3 days to report any security breach which is likely to pose ‘a risk for the rights and freedoms of individuals’. If a security breach has been flagged you would then need to pass on the complete details of which citizens’ data were impacted by the breach.
Personally Identifiable Information (PII data)
GDPR has expanded the definition of PII data to include a much broader range of information. Under the new definition the following data types are now included under the PII data umbrella:
IP addresses
Health data
DNA (genetic data)
Photos
Social media posts
Lifestyle preferences
Explicit Consent Required
Gone are the days of checkboxes which users have to opt out of instead of checking to opt in. Under a sometimes confusing guise where a user gives consent by having a pre-ticked checkbox opt them in many companies have used this tactic to grow their user databases, until now. Under GDPR consent must be gained through a clear ‘positive opt in’ checkbox.
EU or not EU?
These regulations affect the citizens of European countries, a question that’s being asked by many is “does Brexit mean that this isn’t something as a UK business we should worry about?”. The affirmative answer here is “yes!” worry about it. The regulations aren’t set on European companies, but European citizens, as you can’t always guarantee where your users are coming from the best assumption to work under is that every person you deal with is a European citizen. This way you can’t slip under anywhere and you also become more prepared for the future, as these regulations will surely make their way across the world in the upcoming years, be ready, be well prepared.
A Final Note
This is just the tip of a very in-depth and unfortunately vague implementation of new regulations. Be sure to continue your research on this subject matter as any mistake from the 25th of May onwards can be very costly.
If you feel like your website could use a security check or an informed eye to view any data collection points before the 25th of May please contact us. We can arrange a time to check your site and make any amendments needed.
Luke