The new EU General Data Protection Regulation (GDPR) has been a long time coming after initial drafts were followed up by a yearlong debate between industry leaders who want to use our data and those who seek to protect it. The result is a first step in the right direction and which all sides can live with.
Technology has changed our economic and social life irreversibly, and many countries’ data protection laws already contained several basic principles which have shown themselves to be applicable to the rapid technological developments which have accompanied globalization – Germany’s strict laws being a good example. None of these existing principles are set to change.
But with the immeasurable increase in data exchange between businesses, state organizations and private individuals across the European Union, data protection is faced with an ever-increasing mountain of challenges. The Europe-wide General Data Protection Regulation may have a rather uninspiring title but it was certainly needed.
Retention of the tried and tested – plus some new additions
With the new GDPR, the EU is not aiming to change any of the existing core principles of data protection. A license for the sharing of personal data will still be required, stipulating that data can only be gathered in those areas and fields where it is genuinely needed.
The new regulation is also aiming to put the “protection” back into data protection by increasing individual rights. Anyone whose data is gathered, stored and shared must have a right to know exactly what happens with their sensitive information. This includes a Right To Information allowing them to find out what exactly their data has been used for, how long it is stored and who receives it or has access to it. This is an extension of the so-called “right to be forgotten” established a few years ago by the European Court of Justice and which now has a place within the GDPR.
One new aspect worthy of note is the expansion of the territory in which the new regulations are applicable, which will now cover businesses based outside the EU but which use data from EU citizens. A clear response to data and privacy scandals currently engulfing certain large US corporations.
How will it affect my business? You still have time to adapt…
The new GDPR will not come into force until May 2018, giving businesses adequate time to familiarize themselves with the new regulations. Any internal processes which involve data management and sharing will be affected and may need to be adapted, and alterations to businesses’ privacy statements may also be necessary. Given the size and scope of the new regulations, this is no quick task – but you have more than enough time.