The new General Data Protection Regulation (GDPR) will be coming into force across all EU countries on May 25th 2018. The Regulation makes significant and, in some areas, radical changes to current policies which have been based upon the existing EU Data Protection Directive.
The new Regulation transfers ownership of an individual’s personal data from the data holder to the individual concerned, the data subject. It gives EU citizens control over their data and the “right to be forgotten” In future all companies and marketers are legally bound to respect the rights of the individual over all of his or her personal data. These rights will determine the manner and purposes for which personal data is collected and processed. The GDPR refers to data as any information that could be used on its own, OR in conjunction with other data, to identify an individual person.
While non-compliance with GDPR may lead to significant fines by the Data Commissioner (up to 4% of annual turnover or €20 M) or legal cases in the courts, compliance with GDPR ought to be seen as not only essential for business reputation, morale in the workplace and above all for demonstrating commitment to the highest levels of respect and concern for new customers and clients.
The requirements of GDPR imply that businesses and marketers quickly need to make significant changes to their data base collection process so as to cover the following general areas:
- The collection of data needs to be relevant for the purpose
- Using that data for another purpose will need further consent from the data subject
- Databases will need to be cleaned to ensure the marketer can identify if; consent has been granted lawfully and fairly, whether it is being used for explicit and legitimate purposes, what data has been collected, and the accuracy of that information.
- The purpose has to be unambiguous, clear and simple. If it is not then it will not be accepted.
- Consent must be given and not assumed
- The onus is on the marketer/business owner to prove consent was given – you must record who and how
- Data subject must be able to withdraw consent at any time
- Consent should cover all processing activities carried out for the same purposes.
- Silent consent, pre-ticked boxes or inactivity do not constitute consent.
Here are the Repercussions
If a violation occurs, organisations can be fined up to 4% of annual global turnover for breaching regulation, or a fine of €20 Million - whichever is higher.
The process will be:
- Issue warnings
- Issue reprimands
- Order compliance with Data Subjects requests
- Communicate the Personal Data breach directly to the Data Subject
There are two levels of administrative fines. These are:
The maximum fine for the first level is €10,000,000 or in the case of an undertaking, up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater.
The maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year, whichever is greater.
On the run up to this legislation it is advisable to start the process of cleaning databases and even looking at an internal GDPR audit that helps management and staff to recognise the various GDPR related issues when dealing with existing and external databases.