Premier European digital media conference, Dmexco, is currently underway in Cologne. As global brands, publishers, and ad tech leaders meet to discuss opportunities and challenges in digital media, a new set of data protection laws proposed in the European Union have quickly become the hottest topic of discussion.
This is your go-to guide for understanding the General Data Protection Regulation, or GDPR, and what it means for you.
What is GDPR?
General Data Protection Regulation is the new regulatory framework that will replace the 1995 data protection directive, which has been around for two decades and in conjunction with national data laws, currently lays down stipulations for how businesses and public offices collect, store, and use personal user data in the European Union.
In these two decades, the Internet-based economy has gone mainstream, changing how user data is captured and used by businesses — both in terms of size and scope, rendering the older directive largely obsolete.
After years of discussion and negotiations, GDPR was adopted by both the European Parliament and European Council in April 2008, and the new regulation and directive were published soon after. The regulation is slated to come in effect in May 2018, giving organizations covered by the regulation enough time to prepare.
The new regulation will empower user with new rights to access to information that companies hold on them, directives for better data management and information security, and a new set of fines in case of non-compliance.
Need to Know
Who will be affected: Any organization that collects information about EU residents
When: 25th May, 2018
Enforcing agency: The Information Commissioner’s Office in UK (ICO)
Organisations falling under the category of data controllers or data processors will be required to comply with the new regulation. This covers startups, nonprofit organisations, enterprises — basically everyone.
The thing to note here is that GDPR is not a Europe-specific issue, it will affect any organization that offers goods or services to users in the EU or monitors the behavior of people located in Europe, irrespective of where their offices or data servers are located.
GDPR covers both personal and sensitive user data. Personal data may include name, email, address, IP… and other such details commonly collected during sign ups. Sensitive data includes genetic information, biometric scans, political or religious views, and sexual orientation, among others.
One important change in the new regulation is that unlike the earlier directive, it also covers user data stored under a pseudonym, as long as the pseudonym can be used to identify the individual.
New User Privileges
In the previous regime, users had to raise a Subject Access Request (SAR) shell out £10 to gain access to the information that a company may be holding about them, under GDPR, requests for personal information can be made free-of-charge. In addition, this data must now be provided to the user within 30 days of the request being raised.
The regulation also allows users the rights to have their data erased under circumstances including if the data is collected under unlawfully or without legitimate interest, if consent is withdrawn, and in case the data is no longer required for the purpose it was collected.
Data Security and Compliance
Apart from guidelines on data collection and user privileges, GDPR also has directives on setting up and ensuring set standards of data security including data audit and assessment, protection policies, and documentation.
In recent years, there have been multiple large-scale data breaches including comprise of user account information held by companies such as Yahoo and LinkedIn. Under GDPR, companies will now be accountable for “destruction, loss, alteration, unauthorised disclosure of, or access to” user data.
In case of data loss or breach, organisations have to inform the government within 72 hours of finding out about the incident, work with regulatory bodies in the period that follows, and may be subject to legal action.
Startups typically forgo due diligence when it comes to data collection and security in favour of speed and scaling, this will no longer be possible without incurring fines.
For organisations with more than 250 employees, documentation will be mandatory on why user information is being collected, where it’s being held, for how long, and technical data detailing the security measures in place. Large organisations may also need to specifically hire a “data protection officer” to oversee and ensure policy compliance.
One of the most discussed aspects of GDPR is the new regime of fines that it comes with. Fines can be levied for both small and big instances of non-compliance now.
Didn’t hire a data protection officer when GDPR required you to? You can be fined. Had a security breach? There’s a fine for that. Incomplete documentation? Fined. You get the idea. And unlike the earlier directive, the fines can be substantial.
For smaller offences, companies could incur fines up to €10 million or two percent of the organisation’s global turnover, whichever is greater—more serious offences could lead to fines up to almost twice that amount. This is a huge step up from the upper cap of £500,000 that existed under the previous data protection directive.
Although, ICO has been clear about “preferring the carrot to the stick” and have been doing their part to settle the sense of panic in the industry.
“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” wrote Elizabeth Denham, the U.K.’s information commissioner, in a recent blog post.