Strictly speaking, GDPR has already been in force since May 2016 but many organisations are only obliged to apply the regulation from 24 May 2018. According to the regulation, companies will have to get explicit permission from their customers before they can use their data. They also need to be able to provide information about what purpose the customer data is used for.
The implications of GDPR for businesses are two-fold. Firstly they will need to assess their current data collection and storage systems to make sure they are ready for the new regulations. Secondly, they need to put in place new internal processes and update staff regarding how they access and share data.
There will also be a few changes regarding international organisations with head offices outside of the EU. From May 2018, the ‘principle of the market location’ applies instead of the domicile principle. This means that local or national laws will no longer be prioritised over European regulations. Businesses who continue to offer services to EU citizens now need to strictly observe GDPR as implemented in the respective target country.
Article 12 of the new regulation also sets stricter information duties. Companies have to inform users about data processing and how long data is stored. There is also a disclosure requirement regarding the data storage length or transfer to third parties. These information duties come along with rules concerning information, revocation as well as erasure. Individuals are entitled to erase data, which is known as the “Right to be Forgotten”.
In contrast to the “Right to Block” of personal search engine results postulated by the European Court of Justice, the GDPR refers to erasure directly at the place, which is storing the data. In future, there is even a duty for businesses, which had previously published data about a person, to also inform other places, which had also processed the data, about the erasure entitlement of the individual person.
This new EU General Data Protection Regulation is not a re-invention of existing data protection rights, it only has a new emphasis. From 2018 onwards, organisations face more duties and risks. They not only have to be knowledgeable about where, when and which data is being processed, they possibly also have to document their processing activities.
So how can technology companies and their clients prepare for GDPR?
Primarily, organisations should undertake an analysis of which type of data processing takes place in their operation. When processing and storing staff data, is the data handled on behalf of a third party, or is there collaboration with subcontractors and who may have visibility of the data?
Following the analysis, there should be control and evaluation of the data processing. This evaluation should conclude whether the new data regulations are being met. In addition, it will be good practice to check if existing order processing agreements, data protection notices and consents comply with the new regulation.
The risk of non-compliance is now considerable. In the past, fines have been rare. However, the fines outlined in article 83 and 84 of GDPR offer a whole new dimension in the data protection world. The figures mentioned are around 20 million Euro or 4% of the worldwide turnover.