When the European Union’s General Data Protection Regulation becomes a reality on May 25, 2018, it will fundamentally alter how companies collect and use personal information on EU residents. BCD Travel experts dove into GDPR and emerged with a list of nine big changes ahead:
- More consistency: GDPR will become law without legislation in each EU member state. This means a greater degree of harmonization on data protection requirements.
- Broader scope: “Personal data” will be defined more widely and include online identifiers such as internet protocol, or IP, addresses.
- Effect beyond region: The law applies to entities that are established in the EU; offer goods and services in the EU; or monitor the behavior of individuals in the EU. So, even a company without a presence in the European Union may be subject to the requirements.
- Bigger fines: Failure to comply with GDPR requirements can lead to fines of up to €20 million (about US$23.6 million) or up to 4% of the annual global turnover of the previous financial year.
- Clearer consent: GDPR sets a high consent standard for processing (collecting, using and storing) personal data. The consent must be unambiguous and involve a clear, affirmative action. Silence, pre-ticked boxes or inactivity cannot be used to imply consent. People also must be able to revoke consent easily.
- Breach notification mandates: GDPR requires a data breach to be reported to the EU data protection authority “without undue delay” and, where feasible, within 72 hours of awareness, unless the breach is not likely to put the rights and freedoms of affected individuals at risk. In certain circumstances, affected individuals must be notified without undue delay. In addition, GDPR requires a data processor to notify the companies it serves without undue delay if there’s a breach.
- Expansion of individuals’ rights: The new law bolsters existing rights of individuals and introduces new ones, such as the right to be forgotten and the right to data portability (transfer of data to another party).
- Privacy by design: Data privacy must be considered from the outset when new technologies are designed. Companies using people’s data must conduct privacy-impact assessments on any potentially “high-risk” processing—for example, when using new technologies.
- Data protection officer: GDPR requires appointment of a data protection officer if an entity’s “core activities” involve regular, large-scale processing or monitoring of individuals’ data—in particular data related to criminal convictions or offenses.