With less than a year to go, many people have still not grasped the depth and severity of GDPR. But willful ignorance is not something the law will abide, so beware.
In part one of our introduction to GDPR, we look at the new EU regulation from the basics up and try to explain the background to the law, whom it applies to, and some of the things that you are lawfully obliged to implement. With the promise of expensive fines and stringent prosecution, this is something that will have a significant impact on business both inside and outside the EU. Let’s take a look at the background to GDPR and get a deeper picture of how it affects you.
What is GDPR?
GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that will generate the biggest changes in data protection in the EU since 1995. GDPR was created to bring as much uniformity into data protection as possible. That’s a big change from the current situation. There is an existing EU 1995 Directive, which was implemented into national data protection laws. However, there can still be significant differences among states. Now that it is a regulation, it will be directly applicable. It also means that if someone wants to do business in Ireland, for instance, they can now be sure that a similar legal regime will exist in other member states too. This new regulation is better suited to the challenges our current digital world poses.
When Will GDPR Come Into Effect?
GDPR will come into effect on May 25, 2018, but the final text has already been available for more than a year. In all member states, there is a public authority that is responsible for dealing with GDPR issues from an administrative point of view and for imposing any fines arising from non-compliance. Although the regulation is more or less standardized throughout the EU region, there are some areas where member states still have the ability to create amendments to the rules. For instance, there is a rule under GDPR that states children under 16 must obtain the consent of a parent or guardian, but this can be modified to the age of 13. As GDPR states, “the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”
How Will GDPR Be Implemented and How Can Companies Prove They Are Compliant?
It is the responsibility of the company to prove that it is compliant under the principle of accountability. This means, they must be able, at anytime, to prove they are GDPR compliant. But as there are several mechanisms that are not ready yet, GDPR wants different sectors to create codes of conduct that say if companies within that sector implement them, those should be enough to prove GDPR compliance. And when these codes of conduct have been approved, companies can implement them and say they are GDPR compliant. GDPR states, “The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.”