We’re living in a data-driven world, which has evolved drastically from the 1995 directive established to protect EU citizens from privacy and data breaches. Although many of the key principles are the same, changes will be made to keep up with the times and ensure better protection. Let’s explore the top three changes under the General Data Protection Regulation to get a better idea of what’s to come.
- Increased Territorial Scope
One of the biggest changes is the extended jurisdiction of the GDPR. By May 25, 2018, all companies processing the personal data of subjects in the European Union will be subject to GDPR rules and regulations regardless of the company’s physical location. After this topic made its way into some high-profile court cases, it was clear that adjustments were necessary. GDPR will apply to the follow companies:
- Those processing personal data by controllers & processors in the EU
- Those processing personal data of subjects in the EU by controllers & processors not established in the EU
- When offering goods or services to EU citizens (regardless of if payment is required)
- When monitoring behavior happening in the EU
Businesses not in the EU that are processing personal data of EU citizens will be required to appoint a representative in the EU as a part of compliance for GDPR.
To ensure companies are taking the GDPR seriously, there will be penalties inflicted if compliance is not met. Organizations that breach the GDPR can face up to 4 percent of their annual global turnover or €20 million in fines. This penalty is saved for the most serious of offenses including:
- Not having sufficient customer consent to process data
- Violating the core of Privacy by Design concepts
A tiered approach will be used when determining the amount of a fine for various penalties. We explored this system in detail in our last blog post
about GDPR from earlier this month.
With an expanded territorial scope and stricter penalties, it’s crucial that everyone understands the full extent of the regulations. When the GDPR is in effect, “companies will no longer be able to use long illegible terms and conditions full of legalese, as the result for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.” Consent must be:
- Distinguishable from other matters
- Provided in an intelligible & accessible form
- Use clear & plain language
- As easy to withdraw from as it is to give it
Stay tuned for more GDPR topics, and be sure to check out the original post “What is the European Union’s GDPR, and why is it important?