What are the main features of the new law?
Among the law changes proposed for the year, the General Data Protection Regulation (GDPR), is
a new law bringing two highly sensitive policy areas to the forefront - those of consumer rights and
data protection. The regulation, entering into force across the whole of the European Union (EU)
including the United Kingdom in May 2018, serves as a major deterrent against those businesses
with a lax approach to data security and privacy breaches.
The GDPR replaces the Data Protection Directive 95/46/EC and is designed to harmonise data
privacy laws across the EU, to afford greater data protection to EU data subjects who often
have no idea just how much of their personal data is stored, and how it’s being used. The other
objective of the sweeping new regulation is to restructure the way businesses and organisations in
the targeted areas, approach data security.
The law aims at beefing up security and making the way businesses store and use personal data
of their clients and customers, more secure. Heavy penalties have also been introduced to ensure
that companies remain compliant, as well as take proactive measures to ensure that they’re not
caught on the end of a data breach, regardless of how it comes about.
How exactly do things change?
Procedures relating to consent
Among the many changes brought about by the new regulation, conditions for consent have been
visibly strengthened, with companies no longer able to rely on highly technical and complex legal
language to shroud low-level protection of sensitive personal information. Consent forms must now
be clear and simple, allowing individuals to get the full picture on what and how their data will be
stored and used. Even more so they are also able to withdraw their consent if they choose to do
so. This entitles data subjects to have their data erased, cease the further dissemination of
information and thereby prevent third parties from processing it as well. Article 17 specifies that this
also includes data that can no longer be deemed relevant to the original purpose for processing.
Notification of breach and data portability
The GDPR also requires all entities to register a breach notification within 72 hours of becoming
aware of such a breach. Thereafter, this requires that data processors notify their customers and
controllers of the breach without any undue delay. Data subjects also now have the right to request
data stored about them in ‘machine-readable format’ to transmit that information to another
The ‘Privacy by Design’ concept
What this entails is that protection and data sensitivity are integrated and made a central part of
any company system/framework design, as opposed to slapping on such measures at a later date.
According to the GDPR, this includes appropriate technical and organisational measures to better
address the requirements of the regulation and protect the data rights of subjects.
Appointment of Data Protection Officers (DPO)
Under the GDPR internal record-keeping requirements have been laid down, as well as DPO
appointments, in those organisations where controllers and processors whose core duties include
processing operations, which require frequent and systematic monitoring of individuals on a large
scale, or of specific categories of data including those relating to criminal offences and convictions.
The appointments of DPOs are further governed by certain conditions, which are further outlined in
The importance of staying on the right side of the law
Given these heavy requirements of this regulation, it is clear that nothing short of strict adherence is necessary. As per the provisions of the GDPR, heavy penalties await those found to be negligent in these duties, as well as those whose lack of care results in a data breach. Organisations found to be in violation of the new rules can be fined up to 4% of their annual turnover, or a fine of 20 million Euros,
whichever is the greater amount. This is reserved for serious infringements, such as those where
data is stolen or not having the required subject consent, among others. You could also be charged
2% of turnover if your company records are not in order, fail to notify authorities or data subjects of
a breach, and more. It important to note that data clouds will not be exempted from these rules.
Apart from very serious penalties, remaining compliant to the provisions of the GDPR is particularly
pertinent given the emerging awareness and consciousness data subjects have about their rights, as
well as increasing concern over sharing personal information. This means that apart from being
penalised by the law, consumers will also actively shun any businesses and organisation that fails
to deal with confidential data sensitively.
All in all, it is wise to familiarise oneself with the emerging law change, and take measures to
prepare for a new environment of heightened data security and consumer protection.
In this regard, Meta Defence Labs is a leading provider of GDPR & cybersecurity solutions, which will feature a key role in the coming months. We’re happy to provide you with any information required going forward, so feel to contact us for more on this topic.