• test

    test

General Data Protection Regulation changes (GDPR) – What you need to know

On May 25th 2018, data protection laws – specifically the EU General Data Protection Regulation – will come into force. Any business that engages in marketing activities will need to be aware of these regulations or risk facing heavy fines in cases of non-compliance.

In this blog, we’ll run through the General Data Protection Regulation, what it means for your business and how to ensure you remain compliant.

 

What is General Data Protection Regulation (GDPR)?

The GDPR is Europe’s new framework for data protection laws – it was created in 2016, comes into force on May 25th 2018 and replaces the previous 1995 data protection directive, which current UK law is based upon.

According to the EU GDPR website (www.eugdpr.org), the new regulation has been “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”.

What are the changes and what does it mean for my business?

 

Key changes include:

(NOTE: the definition of personal data will also be expanded to include IP address information and internet cookies.)

 

  • Increased Territorial Scope
    • The new data protection rules will now apply to all companies processing the personal data of EU citizens – regardless of the company’s location. This means that whether you’re based in the EU or not, if you gather the data of a customer or individual, these new rules will apply to your business. Importantly, non-EU-based businesses that process the data of individuals will have to appoint a representative that is located within the EU.

 

  • Tougher Penalties
    • With the new GDPR rules, comes tougher penalties for businesses that don’t comply. Fines in breach can be fined up to 4% of annual turnover or €20,000,000 – whichever is greater.

 

  • Stricter Consent Conditions
    • Terms and conditions that are designed to be purposefully and unnecessarily long and confusing or hard to read will become a thing of the past. Data consent forms must be clear and easily accessible and the purpose of the data collection and processing must also be part of the form. It must also be just as easy for individuals to withdraw consent as it is to give it.

 

  • Fast-Breach Notification Responses
    • If there has been a data breach, those affected must be notified within 72 hours of the company first becoming aware of the breach.

 

  • Free Right of Access to Data
    • Data must be stored in a way where if an individual requested a copy of the data a company has on them, they must be able to supply an individual with an electronic copy of the data they hold that relates to them.

 

  • Right to be Forgotten
    • This entitles the individual that any data that relates to them goes no further and ask for it to be removed (either from being publically-available online or from a company database) – essentially halting the processing of that data and erasing it. That said, whether data can be erased is dependent on the subject rights compared with “public interest in the availability of the data”.

 

  • The Right to Move Data (Data Portability)

 

  • Privacy by Design
    • In a nutshell, this means that those collecting, sorting and processing data, must build privacy into their processes (rather than add privacy mechanisms as an afterthought). This includes ensuring that minimal data is held (only the amount needed to complete duties) and that access to data is as limited as possible for those that process it.

 

  • Data Protection Officer Requirements
    • Not all companies will need to have a Data Protection Officer role or hire the services of an external Data Protection Officer. Instead, only businesses whose core activities consist of processing and monitoring a large number of data subjects or those that hold special categories of data or data relating to criminal convictions and offences, will be required to have a Data Protection Officer.

 

In essence, the new changes will require businesses to; be in full control of data collected (in a way that an individual’s data can be both electronically sent to them and swiftly erased at the touch of a button); be more transparent with consumers at the point of collection (with all consumers opting in, rather than having to opt-out – and terms and conditions made significantly more transparent) and, be able to manually segment data when using data to profile (adding the human-touch to data collection, but with only necessary data collected and minimal access given to those that process the data).

You can read more about the changes and what they mean for you here.

 

Or leave it in our capable hands – at AG Automotive, we have a ready-made online platform that can help organisations get ahead of the game when it comes to GDPR. To find out more, visit: https://automotive.alphagraphics.co.uk/