What are the main features of the new law?

Among the law changes proposed for the year, the General Data Protection Regulation (GDPR), is a new law bringing two highly sensitive policy areas to the forefront - those of consumer rights and data protection. The regulation, entering into force across the whole of the European Union (EU) including the United Kingdom in May 2018, serves as a major deterrent against those businesses with a lax approach to data security and privacy breaches.

The GDPR replaces the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across the EU, to afford greater data protection to EU data subjects who often have no idea just how much of their personal data is stored, and how it’s being used. The other objective of the sweeping new regulation is to restructure the way businesses and organisations in the targeted areas, approach data security.

The law aims at beefing up security and making the way businesses store and use personal data of their clients and customers, more secure. Heavy penalties have also been introduced to ensure that companies remain compliant, as well as take proactive measures to ensure that they’re not caught on the end of a data breach, regardless of how it comes about.

How exactly do things change?

Procedures relating to consent

Among the many changes brought about by the new regulation, conditions for consent have been visibly strengthened, with companies no longer able to rely on highly technical and complex legal language to shroud low-level protection of sensitive personal information. Consent forms must now be clear and simple, allowing individuals to get the full picture on what and how their data will be stored and used. Even more so they are also able to withdraw their consent if they choose to do so. This entitles data subjects to have their data erased, cease the further dissemination of information and thereby prevent third parties from processing it as well. Article 17 specifies that this also includes data that can no longer be deemed relevant to the original purpose for processing.

Notification of breach and data portability

The GDPR also requires all entities to register a breach notification within 72 hours of becoming aware of such a breach. Thereafter, this requires that data processors notify their customers and controllers of the breach without any undue delay. Data subjects also now have the right to request data stored about them in ‘machine-readable format’ to transmit that information to another controller.

The ‘Privacy by Design’ concept

What this entails is that protection and data sensitivity are integrated and made a central part of any company system/framework design, as opposed to slapping on such measures at a later date. According to the GDPR, this includes appropriate technical and organisational measures to better address the requirements of the regulation and protect the data rights of subjects.

Appointment of Data Protection Officers (DPO)

Under the GDPR internal record-keeping requirements have been laid down, as well as DPO appointments, in those organisations where controllers and processors whose core duties include processing operations, which require frequent and systematic monitoring of individuals on a large scale, or of specific categories of data including those relating to criminal offences and convictions. The appointments of DPOs are further governed by certain conditions, which are further outlined in the GDPR.

The importance of staying on the right side of the law

Given these heavy requirements of this regulation, it is clear that nothing short of strict adherence is necessary. As per the provisions of the GDPR, heavy penalties await those found to be negligent in these duties, as well as those whose lack of care results in a data breach. Organisations found to be in violation of the new rules can be fined up to 4% of their annual turnover, or a fine of 20 million Euros, whichever is the greater amount. This is reserved for serious infringements, such as those where data is stolen or not having the required subject consent, among others. You could also be charged 2% of turnover if your company records are not in order, fail to notify authorities or data subjects of a breach, and more. It important to note that data clouds will not be exempted from these rules. Apart from very serious penalties, remaining compliant to the provisions of the GDPR is particularly pertinent given the emerging awareness and consciousness data subjects have about their rights, as well as increasing concern over sharing personal information. This means that apart from being penalised by the law, consumers will also actively shun any businesses and organisation that fails to deal with confidential data sensitively. All in all, it is wise to familiarise oneself with the emerging law change, and take measures to prepare for a new environment of heightened data security and consumer protection.

In this regard, Meta Defence Labs is a leading provider of GDPR & cybersecurity solutions, which will feature a key role in the coming months. We’re happy to provide you with any information required going forward, so feel to contact us for more on this topic.