The ‘Data Protection Directive’ was implemented in 1995 and was put in place for the protection of individuals with regard to the processing of personal data and the movement and use of such data. It is considered an important element of European Union privacy and human rights law.
However in the fast moving world of IT the act was considered to be lacking in certain areas, therefore in 2012 the EU looked at creating a replacement policy which was in the form of General Data Protection Regulation (GDPR). This new act will be adopted this year but official enforcement will not begin until Spring 2018. This is to allow companies to understand the legislation and put the required measures into effect.
A summary of the reasoning for the new GDPR act is as follows: “The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover.”
The GDPR is already creating a lot of concern for businesses, with half of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate. Also differing regulations in different regions are creating inconsistent, and often incompatible, instructions for how personal information is stored, processed and shared. It will become a real challenge for a company to be compliant in all regions.
One of the key themes of the GDPR is accountability. In practice this will entail establishing a culture of monitoring, reviewing and assessing your data processing procedures and policies, aiming to minimise data processing and the retention of data. Auditable data impact assessments will also need to be conducted and steps taken to address any risks that are highlighted during the audit.
Nearly all businesses and organisations keep digital copies of customer data – so it’s clear that data protection and the issues associated with it are here to stay. Protection of this data is vital and the penalties for not doing so are only going to get harsher. Obviously the GDPR is very extensive, and it will undoubtedly require some time and effort to understand and implement.
Our recommendation is to do some research and get a good head start on putting the required changes into place.