If you store, process or share any personal data on EU citizens the General Data Protection Regulation (GDPR) will affect you - soon
02 Mar 2018
Outside of Europe the General Data Protection Regulation (GDPR) has started to make the headlines, ignored or remains unheard of by the vast majority of businesses. Yet this significant update of data protection law is likely to have a noticeable impact across the world.
Coming into force on 25th May 2018 the GDPR strengthens all data protection rights for EU individuals and this new legislation will affect any European member state business offering goods or services. With the existing laws overdue for revision and varying between countries, the GDPR will provide more consistent protection of personal data rights.
Not only that, the new directive gives ownership of data back in the hands of data subjects and places new responsibilities on companies who use their customer’s data for varying reasons, starting with marketing.
So, what does this mean for countries outside the EU – if anything? This is a question that many businesses across all continents (including a post-EU referendum UK) are asking. As CEO, should you care about GDPR if you are outside the European Union?
The short answer is that if your company does any form of trade with customers within the EU, then GDPR rules will apply to you if you store, process or share EU citizens’ personal data.
Before the Safe Harbor agreement, American companies could self-certify with their promise to protect EU citizens’ personal data when transferred to and stored in the US and used without the need to ask for consent. But, with Safe Harbor deemed inadequate and revoked at the end of 2015, and the Privacy Shield (only relevant to US companies) heading the same way, any contracts drawn up once GDPR is in force will need to ensure a similar level of protection to avoid serious punitive action.
Contravention of the GDPR can result in fines of up to 4% of a company’s global annual turnover, or €20 million (whichever is greater).
Creating and adopting a similar set of laws on a par with GDPR is likely to be the course of action taken by Supervisory Authorities all around the world for all countries that believe in data privacy and protection.
So, what are the most notable regulations that businesses should take note of? They include:
- The right to be forgotten: Individuals will have the power to object to the processing of their data and the right to erase their data.
- The right to access their own data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way via Subject Access Requests (SARs). The ease that consumers can request SARs has the potential to be a serious headache for organisations. Businesses that process such personal data are required to stipulate and prove what data they store, the recipients of the data and what they use it for, in most cases within a month and supplied free of charge.
- The right to data portability, making it easier for the transfer of personal data between service providers.
- The right to know if there has been a breach of your data: Organisations must notify the national Supervisory Authority of serious data breaches as soon as possible (within 72 hours) so that users can take appropriate measures.
Marketing consent: The GDPR has refined the rules for obtaining consent how valid consent needs to be demonstrated. Organisations will need clear records to show a date of consent, what has been consented, the method of consent and who obtained it.
Existing in a world with a global marketplace means that GDPR cannot be ignored and now is the time to ensure that your company prepares for how the changes could affect them.
Ensuring compliance now, while there is still time to get the appropriate systems and processes in place, is likely to be complicated and costly – but it will also be of benefit to your business in the long term as your customers will feel more inclined to interact with you if their data is controlled and stored.
Article prepared in cooperation with Hansal International. Hansal International operates across Europe, Africa and Asia. For more information on Hansal International please visit www.hansal-international.com