On 25th May 2018, new rules concerning the collection, storage and processing of personal information relating to individuals in the European Union (EU), regardless of nationality, come into force. For companies that do not conform in time, this could lead to expensive fines.
The new regulation is The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This is a regulation by which the European Parliament, the Council of the European Union and the European Commission will seek to strengthen and unify data protection for individuals living in each member state of the European Union. The rules will also apply to any personal data exported from within the European Union to a country outside of the European Union.
Andrus Ansip, European Commission Vice-President for the Digital Single Market, has clarified the vision as: “Our digital future can only be built on trust. Everyone’s privacy has to be protected. Strengthened EU data protection rules will become a reality on 25 May. It is a major step forward and we are committed to making it a success for everyone.”
The intent behind the GDPR is pass control of data back to citizens of nation states and residents. There is a secondary intention, which is to simplify the regulatory environment for business by pulling together different data rules and regulations.
Rights afforded to European citizens under the new legislation:
The need for the individual’s clear consent to the processing of personal data;
Easier access by the subject to his or her personal data;
The rights to rectification, to erasure and ‘to be forgotten’;
The right to object, including to the use of personal data for the purposes of ‘profiling’;
The right to data portability from one service provider to another.
The rule comes into enforce from May, 25 2018 (this follows a two-year transition period). There is no further implementation period and therefore the rule is directly binding and applicable from this date. Despite the transition period, many businesses have been slow to act. According to Computer Weekly, the new rules mean that any organisation that has so far failed to begin preparations faces a steep challenge to become compliant in time.
According to Eduardo Ustaran, who is European head of privacy and cyber security at law firm Hogan Lovells: “At stake are not only the consequences of non-compliance, but the ability to take advantage of the opportunities presented by new technologies, data analytics and the immense value of personal information.”
To assist the European Union has set up a website as a resource to educate the public and business leaders about the main elements of the GDPR rules.
