This year sees major changes for data protection and privacy laws the world over. Arguably the most significant and comprehensive data protection legislation in history, the General Data Protection Regulation (GDPR) will replace existing EU privacy laws and change the face of privacy protection. The new law has far-reaching global implications, applying not only to businesses operating in the EU, but also to any business worldwide that collects personal information from EU data subjects.
This is a massive change when it comes to privacy protection legislation, and is provoking a flurry of activity worldwide in 2018 from businesses affected by the change, as well as those offering legal and practical services. There is a strong feeling among privacy experts, however, that not enough has been done by organisations preparing for the GDPR; it is not too late, but all businesses need to make sure they prepare now to reach full compliance before the change on 25th May 2018.
What changes are required under the GDPR?
Essentially, the GDPR requires a comprehensive reimagining of privacy standards, and includes many new regulations that are proving a headache for the underprepared. The regulation introduces the right to be forgotten, mandatory consent for collection of data, mandatory data breach notification, a call for specificity and relevance in data collected, and the exemption from profiling by algorithms, and the mandatory destruction of data once it is no longer relevant.
In addition, it offers regulatory power to data protection authorities like the European Data Protection Board super-watchdog, and requires the appointment of data protection officers in companies that handle large amounts of personal data. Most of these changes require a total policy and practice overhaul, including changes to collection, handling, storage, and disposal of data.
The GDPR should not be taken lightly, with non-compliance attracting fines of up to €20 million, or 4% of annual worldwide turnover (whichever is greater). Advice and information about the change is becoming more accessible to businesses this year as the change date draws closer. It is clear from the current mood in the press that, until recently, many companies have failed to recognise the significance of the changes and the vast quantity of practical and software changes required when preparing for the GDPR in order to bring businesses up to the high standard required.
How are organisations preparing for the GDPR?
Now, with less than 100 days to go before the GDPR cracks down in May, businesses are becoming more aware of the implications, as the reality and complexity of the new laws hits home and they begin preparing for the GDPR. However, some reports suggest that by the time the GDPR comes into play, more than half of the affected companies will still not be fully compliant, while around half will still be struggling to achieve full compliance even by the end of this year. This is not ideal for non-compliant organisations, as it soon leaves them open to huge penalties in the case of a data breach. In essence, the time to start preparing your business – if you haven’t started already – is now.
Data breaches are becoming more common and more severe every year — large companies like Yahoo, Uber, Equifax, and many more still face ongoing publicity and repercussions from recent breaches. Cases like these have brought data protection into the limelight. In addition to the 2018 legislative changes including the GDPR, the Notifiable Data Breaches (NDB) Act in Australia, and the proposed Breach of Security Safeguard Regulations in Canada this year, widespread publicity has brought data protection to the forefront of awareness for both consumers and organisations. But businesses are still proving largely underprepared for the change.
Though the law is now imminent, there is a tangible level of uncertainty surrounding the GDPR and how it will affect organisations. Lawyers and data protection experts are working hard to prepare companies for the overhaul, with training programs, software expertise, and legal guidance available in most countries, both within the EU and further afield.
It’s important for every organisation worldwide that handles EU data subjects — even just a single EU customer — to understand what changes will be required to get current privacy practices up to speed and avoid the heavy penalties of the GDPR.
Over the coming weeks leading up to the change, we’ll underline key aspects of the GDPR and keep you up-to-date with relevant information that will help your business in preparing for the GDPR.
This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.