The GDPR legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information, which I will go into in some depth later on.
After more than four years of discussion and negotiation, both the European Parliament and the European Council adopted GDPR in April 2016. The underpinning regulation and directive were published at the end of that month. After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25,2018. The two year preparation period has given businesses and public bodies covered by the regulation to prepare for the changes. There will be no GDPR transition period after May 2018, we are in it now!
GDPR is not a pointless, mindless piece of legislation, which a company has to focus on for the next few months and can then forget. It is a fundamental change in the balance of power between a company and its customers, suppliers, employees or anyone else it trades with or holds personal data on.
This is not only a shift in power, it also comes with onerous data breach notification requirements and new rights for the ‘data subject’, which for example, allow them to withdraw consent at any time, does away with opt-out consent, expands a data-subject’s right of access to the data which a company has on them to include all data files, emails, letters, pieces of paper, scanned images and also gives them the rights of data portability and to request not to be profiled (think of this from your marketing and data analytics perspective).
Subject Access Requests will now become free, spawning a whole new industry looking to make money off the next quick scam and will also have a massively shortened turn around timescale. The concept of personal data is expanded to include electronic identifiers such as IP addresses, cookies and a lot more. Profiling and automated decision making will have to be justified under legal necessity for provision of a service or the company will have to show that there is legitimate interest and justification for their use (such as in marketing). If automated decision-making is in use then the data-subject has the right to a manual review of the outcome of this process (the outcome can be the same but there has to be a manual review).