Any individual living in the current technological age may have had some doubts about the protection of their personal data. When personal data is given over for social media accounts, automatic online sign-ins, employment contracts, legal claims, health records and other reasons so freely, it is understandable why these doubts arise.
The doubts are only provoked by seeing advertisements that relate so closely to search history patterns and the receiving of emails from businesses without giving explicit consent to them. Businesses process and control personal data on a daily basis for these reasons and only now have individuals been given further rights to protect them against this.
The new General Data Protection Regulations (GDPR) has recognised the need for protection of personal data. It will apply from 25 May 2018 and makes sure that personal data flowing in, or from, the EU is protected under one harmonized law.
For any business processing data, or controlling data with businesses that process data, compliance is essential. There are new requirements under the GDPR that need to be followed. These include, but are not limited to:
- Ensuring that consent has been genuinely obtained for the processing. If consent is obtained from a child, parental consent must also be obtained. This must be freely given, obvious to the individual that it is the giving of consent, clearly separate from other information, a positive action and be in plain language. This means that the ticking of a box would be acceptable, but the unticking of a box would not be.
- Making sure that the whole business is educated and trained about the GDPR, carrying out impact assessments and documenting all processing activities that are carried out. Records of training and impact assessments must be kept as a Supervising Authority may ask a business to show proof of GDPR compliance.
- Allowing individuals extra rights after the processing. This includes:
- A way to withdraw consent as easily as giving it;
- A way to access personal data that a business has, in a readable format; and
- A way to request that their data is completely deleted.
Information about how an individual may initiate these rights must be provided by a business such as within a privacy notice or at the time of giving consent.
And what if a business doesn’t comply? They can be fined over 20 million euros! For any business, this is huge sanction. Non-compliance is not an option when faced with this potential penalty.