In a huge change to data protection law, GDPR comes into effect on 25 May with significant fines for non-compliant companies in the event of a data breach - here's all you need to know
It’s all over the headlines, spamming inboxes everywhere and has been the talking point within businesses over the past few weeks – now the General Data Protection Regulation (GDPR) is finally here.
The new law comes into effect across the European Union tomorrow (25 May) as a replacement for the 1995 Data Protection Directive.
A component of EU privacy and human rights law, the original directive was put in place by the EU in 1994 to protect people’s personal data.
The new GDPR regulation gives people the opportunity to let companies know if they would like to them to keep their personal data.
The responsibility for compliance rests on the shoulders of the business.
Failure to do so can lead to a maximum fine of up to £17.5m or 4% of the company’s global turnover.
Who is affected by GDPR?
The new regulation affects all businesses, but in particular those that rely on consumer data, such as technology firms and marketers.
Consumers and data subjects stand to benefit the most from the GDPR, as they can choose to withhold consent for particular uses of their data.
They can also ask for access to their personal information from companies or choose to have their details deleted from the company altogether.
Is there a GDPR checklist?
The biggest overriding point of GDPR is that companies can’t hold personal data without that person’s consent.
This could include everything from their name, phone number and email address to internet browsing habits, political opinions and health data.
Should any cyber attacks or accidental leaks breach a company’s security, it must be reported within 72 hours.
Many companies may wish to appoint people into specialist roles, as GDPR defines positions responsible for ensuring compliance – data controller, data processor and data protection officer.
Management should be briefed – or indeed trained – on compliance, while a data inventory would help organisations to identify the risks in their data processing activities.
Bringing internal data policies and privacy notes into line with GDPR, updating employee, customer and supplier contracts, and scheduling regular data and security control audits adds more layers of protection.
Punishment will not be automatically handed out in the event of a data breach, but it could if it’s found a company did not have the necessary controls and monitoring in place.
A useful GDPR checklist can be found here.
What are the big companies doing to comply with GDPR?
It has also made it compulsory for every user to agree to its new terms.
Apple didn’t feel the need to change too much in response to the new regulation as the company claims it doesn’t collect much personal data from its customers.
Google has taken a different approach and kept its privacy policies confidential – as it has not wanted to draw attention to the changes made.
Google’s CEO Sundar Pichai said: “It’s important to understand that most of our ad business is search, where we rely on very limited information — essentially what is in the keywords — to show a relevant ad or product.”
Twitter hasn’t been clear about what updates it’s made.
The social media platform has said the updates will focus on the controls it offers users over their personal data.
Microsoft has also got involved, creating a privacy dashboard that allows people to review settings, delete data and download information the firm keeps about them.
What happens after Brexit?
As the UK is intending to exit the EU by March next year and the GDPR data protection regulation only applies to the EU, the regulation will only be part of the British law for a short time.
Even if UK companies continue to do business with the EU after Brexit, they will still need to comply with the regulation to avoid data breaches, according to the GDPR Group.
In June last year, the UK Government also signalled an intention to bring GDPR into British law, ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data”.