From 25th May 2018, the General Data Protection Regulation (GDPR) will come into force and replace the way publishers are able to store, use and distribute data. The new regulation will supersede the outdated 1998 Data Protection Act. Introducing harsher fines for non-compliant companies and giving people across European countries more control over what organisations can do with their personal data.
Under the new legislation personal data now extends further than personally identifiable information (PII) data which currently includes: name, email address, purchases, etc. GDPR now incorporates non-personally identifiable information for the digital age such as anonymous cookies, location-based data, IP address, etc. All the information collected must have a clear opt-in/opt-out process and explain what data is being collected and why.
The new legislation will affect all EU countries and those companies that are based outside of the EU if they collect or use personal data of European residents. Failure to follow the new legislation could result in a serious fine. There are two levels of fines, the first is up to €10 million or 2% of the company’s global annual turnover. The second is up to €20million or 4% of the annual worldwide turnover (whichever is greater). A supervisory body can also decide to force an organisation to cease all collecting and use of data if regulations are not followed.
The new GDPR affects individuals, organisations, and companies that are either Controllers or Processors of personal data.
Controllers – The entity that decides the purpose and use that the personal data you have collected is used
Processors – The entity that processes the data on behalf of the controller. This role includes obtaining, recording, adapting or holding personal data.
GDPR will have a larger impact on some organisations more than others, however, it will affect every company that collects data in some way. Many parts of the regulation are similar to the current Data Protection Act and can relate to information that is collected through an automated process. However, there are new elements of the new regulation which require significant changes. Therefore, you will be required to review your approach to data protection and change the way your business handles all data.
In short, all EU business and those who deal with EU citizen’s data will now be more accountable for their handling of people’s personal/digital information. Businesses must have data protection policies, data protection impact assessments and relevant documents on how data is processed in order to be fully GDPR compliant. Businesses must have data protection policies, data protection impact assessments and relevant documents on how data is processed in order to be fully GDPR compliant or face substantial fines.
Further Reading:
Full regulation document: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Union’s official website for the regulation https://www.eugdpr.org/
The ICO’s 12 step guide to prepare for GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
As soon as we have more information about what publishers need to do we will post it on the blog.
*This blog post provides general information on how GDPR are going to affect our clients and should not be taken as legal advice