With its deadline of May 25 2018, the new GDPR has got a lot of businesses equally confused and worried; here’s five things you’ll need to know for your business.
1. It’s a regulation, not a directive
This means that the law will apply equally in all nations across Europe, which should bring uniformity and clarity to businesses operating in different countries or looking to expand.
It also means that firms from the US processing data on EU citizens must adhere to the law, even if they have no presence in any European nation.
2. Larger fines
The biggest fine an organisation can face from the UK’s Information Commissioner’s Office (ICO) is currently £500,000 (although it has never issued such a large penalty).
However, under the GDPR these powers will increase to €20m or up to four percent of a company’s global annual turnover, whichever is higher.
3. Firms of over 250 staff must employ a data protection officer
The EC wants to ensure that large organisations processing a lot of data have someone who takes responsibility for that information, and having a data protection officer role is part of the new law.
However, this applies only to firms with over 250 staff in an effort to reduce the burden on SMEs. Smaller firms may still need to employ someone in this role if handling personal data is core to their operations.
This may not have to be a full-time employee but could be “an ad-hoc consultant, and therefore, would be much less costly”.
4. Rapid notification of breaches
One big change is that the GDPR will require firms to notify data protection authorities, such as the ICO in the UK, of any data loss incidents as soon as possible, which the EC suggests should be within 24 hours “when feasible”.
How often this is adhered to will be one of the most interesting elements of the new law when it comes into force, and organisations would do well to bear this mind as if it does become the norm they will have to get used to acting promptly to any incidents.
5. Right to move data or have it deleted
Organisations must make it possible for people to have their data removed from a database if there is no legitimate reason to keep it. Similarly, citizens can request that their data be moved from one provider to another if they want to change from one firm to another, which the EC said should promote competition among businesses.