What Everyone Should Know About the New EU Data Protection Legislation
With the passing of the General Data Protection Regulation (GDPR) last spring, the European Union (EU) has shaken up data protection practices – and created a blueprint for responsible data practices that organizations around the world can learn from.
The changes strengthen individual privacy rights and increase data protection enforcement, according to UK Information Commissioner Elizabeth Denham. They’re also aimed at “inspiring public trust and confidence”.
A survey earlier in 2016 showed that only one in four adults trust businesses with their personal data.
Accountability is key, said Denham.
“It’s your job and your company’s job to understand the risks you’re creating for others, and to mitigate them,” she said This entails investing in privacy fundamentals from the get-go.
“Wherever you are in the world, the themes of good data protection legislation are the same – consumers have the right to know what’s happening with their information combined with business transparency and accountability.”
For countries that are part of the EU, the GDPR replaces the current Data Protection Act and goes into effect in 2018.
The new data legislation also extends beyond EU borders. The rules apply to any country and organization that does business with an EU country.
Here are important aspects of the new data protection legislation:
- Consent: Businesses must obtain explicit consent to use an individual’s data. There also has to be a legal basis for holding and processing personal data.
- Right to be forgotten: The new ‘right to be forgotten’ means anyone can get their personal data corrected or removed from the internet if it’s inaccurate or outdated.
- Higher fines for non-compliance: Organizations that do not comply face substantially increased fines (up to 4% of their global turnover).
- Leadership: Leadership in data security is necessary. Companies may have to employ a data protection officer (this may be dependent on size of company). The data protection officer will be in charge of keeping servers, systems, protocol, and privacy up-to-date in the organization.
- Transparency: Companies have to be more transparent about how they are using data. Maintaining internal data protection policies and procedures is required. Companies will have to be able to show how they are complying with the legislation in terms of mechanisms, policies, and systems that help achieve compliance.
- Notification: Notification of data breaches is required within 72 hours of learning about a breach. Data breaches and investigations must be documented. The willful destruction or alteration of data is considered a breach and theft. (This should be part of a comprehensive Data Breach Response Plan.)
- Information destruction: A company will have to delete data if it is no longer used for the purpose it was collected or if the individual revokes consent for the company to hold it. The industry gold standard is to have scheduled professional and secure destruction services for both paper and electronic data.
Find out more about the national privacy laws within North America and how your workplace can stay compliant with our privacy legislation whitepaper.