The General Data Protection Regulation Reform: Europe Steps Up for Digital Age
The European Commission had proposed new regulations on data protection in the wake of a high-profile security breach that occurred in 2011. The incident where a technological company leaked personal data of 77 million customers, including their names to credit card information, had shocked citizens of the European Union. The regulation proposed in 2012 was adopted by the council on April this year, after which it was adopted by the European Parliament. The regulation that will supersede the laws of all the EU members will come into effect from 25th of May, 2018.
What changes have been made?
The European Union has made the changes to guarantee the privacy right of citizens in the digital age, giving them more control over their personal data. This reform is focused on strengthening the internal market of the EU while setting global data protection standards along with making an international transfer of data more efficient.
Here are some points about the General Data Protection Regulation (GDPR) you need to know:
Consent – When the new regulations will come into force, citizens of Europe will be empowered to withdraw their consent easily. This means, if they do not want their data to be processed anymore, the data must be deleted by the organization or company holding it. This helps in strengthening the rights of a citizen by allowing them to be erased from the data records. Sensitive data must be handled explicitly. The data that is provided must be given out of free consent, i.e. the data provided under any conditional contract, where it is not necessary, will not be considered as a free consent. Children under the age of 13 cannot provide free consent, and hence, the same should be provided by their parents or custodians. Thus, it might affect some e-commerce services. There will be a right to object, in case the data collected has to be processed for direct marketing. Also, the person providing the data should be informed about the same.
Data breach notification – The GDPR gives a citizen the right to know when the data was breached. This means, companies and organizations must inform both the user and the national authority in case of data breaches, especially if the individual is at risk.
Data protection by design and by default -These two will be the essential elements of the reform. The products and services will safeguard the data from the earliest stages of their development. The social networking sites, mobile apps, etc. will have to maintain the high standard of privacy settings by default. The privacy of users should be a top priority.
Data Protection Officers – It will be mandatory to appoint a Data Protection Officer or DPO by data controlling organizations and companies that process a large amount of data. The person to be appointed must be someone with expertise and knowledge of latest laws and practices. DPOshave to ensure compliance of regulation within an organization or a company.
Risk Assessment – According to new reforms, it will also be mandatory for the organization and companies to conduct an analysis of the impact that the breach of data will have, and steps that should be taken to minimize it.
What is the one-stop shop in GDPR?
When the GDPR was designed, the council had a one-stop shop in mind. Before the GDPR, identical rules on paper were enough for data processing within a single market. New regulations state that the rules should be applied in the same way everywhere. One-stop shop will ensure that data protection authorities across the continent of Europe have co-operation. Thus, companies will deal only with one authority rather than all the authorities individually. The decision-making process will become faster and eliminate multiple contact points. This will reduce red-tapism.
Why do businesses need to pay attention to GDPR?
After the commencement of the regulation, the changes that are made in the existing ones will make an impact on many organizations around the world. As the penalties are high, it will become necessary for the business organizations that are operating in the EU, to have knowledge about the incoming regulations. If you get familiar with the changes, you can comply with your obligations in a better way. Any company that is processing the data from the citizens of the European Union, will have to comply with the GDPR, irrespective of their location.
Penalty for offenders
This is the section where the European Council made clear that they are very serious about the protection of citizen data. If you think that your organization can forgo the GDPR, think again, because the stakes are high. As per the new regulation, any organization found guilty of breaching the regulation will have to pay a heavy fine that will be levied by the council. The fine can be up to four percent of the annual global turnover of the organization or 20 million Euros, whichever is higher. The point that must be noted here is that the fine will be calculated on the turnover and not on the profit. There will be a different tier of fine for those who haven’t caused serious offense. In this case, the fine will be 2% of the global turnover or 10 million Euros. Periodic data protection audit will be conducted as per the new regulation. Companies or organizations that have committed their first non-compliance unintentionally will be warned in writing.
Digital single market and benefits for business
The data protection reform will help in attaining a single digital market in many ways. This will be very beneficial for businesses. With a single law throughout the Europe for data protection, companies will be able to save around Euro 2.3 billion per year (estimate). As discussed previously in this article, a one-stop shop will help businesses make faster decisions, as they will have to deal with only one authority. All the companies will adhere to the same set of rules, irrespective of their size and location.
In conclusion, it could be said that it is a major step taken by the European Council to protect the rights and personal information of its citizens in this age of digitalization. The strict new framework will help in building trust among citizens again, which faded after the 2011 breach. There will be a wide set of benefits for everyone.