New regulations ensure personal data protection for E.U. citizens
New regulations dealing with the protection of personal data for the citizens of the European Union went into effect on 25 May, 2016. E.U. General Data Protection Regulation 2016/679 (GDPR) will fully replace Directive 95/35/EC in 2018, after a two-year transitional period.
The new regulations, drawn up in 2012 for the purpose of ensuring a consistent and high level of protection of an individual’s personal data and rights, have sharper teeth than the previous “directive” which could only set minimum legal standards for EU states. By revamping and reclassifying the rules, GDPR ensures stronger enforcement of the rules while streamlining international transfers of personal data and set new, global, data protection standards by extending the GDPR’s territorial reach, whereby companies outside the EU that wish to target consumers within the EU will be subject to the same rules regarding transfers of personal data.
Some highlights of the GDPR provide:
- Increased fines for violations: Fines of up to 4% of the offending company’s total worldwide annual turnover can be assessed, meaning losses of millions – or billions – of dollars for larger entities.
- Right to erasure: Article 17 states that data subject now has the “right to erasure” or “right to be forgotten,” which allows them to order a data controller to erase any of the subject’s personal data in certain situations.
- Designation of data protection officers: Any company that offers large-scale processing of data that reveals a subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, memberships in trade unions, genetic or biometric data (if processed in order to uniquely identify a person), health, sexual orientation or activity, must appoint a designated Data Protection Officer (DPO). The DPO will monitor compliance as well as serve as point of contact with relevant supervisor authority.
- Data breach notification: Controllers must notify the appropriate supervisory authority of the personal data breach within 72 hours of learning about the breach. Notification must describe the nature of the personal data breach, the categories and approximate number of data subjects implicated, the contact information of the organization’s data protection officer, the likely consequences of the breach, and the measures the controller has taken or proposes to take to address and mitigate the breach.
The two-year transitional period was established so that EU companies that now have to follow ever greater data protection standards can adopt new internal procedures in order to ensure compliance by 2018.
If your idea of fun includes reading E.U. legislation, here is a link to the 88 pages of E.U. General Data Protection Regulation 2016/679.